Allegra Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of a database. The issue results from the use of a hardcoded password. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22360.
The vulnerability (CWE-798) results from the use of a static, hardcoded password in the database configuration of the Allegra application. Since the password is fixed and immutable, an attacker can discover or reproduce it and then use it to authenticate to the system without possessing valid credentials. The exploit requires no user interaction or any prior privileges, and the attack can be conducted remotely over the network.
An attacker can completely bypass the authentication mechanism and gain unauthorized access to the system, resulting in full compromise of confidentiality, integrity, and availability of data and applications.
Allegra should be updated to version 7.5.1 or newer in accordance with release information available at https://www.trackplus.com/en/service/release-notes-reader/7-5-1-release-notes-2.html.
Selected installations of Alltena's Allegra application; specific versions indicated in manufacturer references (vulnerability fixed in version 7.5.1 according to release information).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAlltena Allegra
APPAlltena< 7.5.1
Related vulnerabilities
Allegra: pominięcie uwierzytelnienia przez przewidywalny token odzyskiwania hasła
Allegra: path traversal w downloadExportedChart umożliwia ominięcie uwierzytelnienia
Allegra extractFileFromZip Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows ...
Allegra isZipEntryValide Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows re...
Allegra saveFile Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote att...