{"id":24260,"date":"2025-06-27T16:08:17","date_gmt":"2025-06-27T14:08:17","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0026\/"},"modified":"2025-07-01T10:26:28","modified_gmt":"2025-07-01T08:26:28","slug":"usd-2025-0026","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0026\/","title":{"rendered":"usd-2025-0026"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n

usd-2025-0026 | Agorum core open 11.9.1.3-1857 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)<\/h1>\n

<\/h1>\n

Product<\/strong>: Agorum core open
Affected Version<\/strong>: 11.9.1.3-1857
Vulnerability Type<\/strong>: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (CWE-79)
Security Risk<\/strong>: High
Vendor<\/strong>: Agorum
Vendor URL<\/strong>: https:\/\/www.agorum.com\/<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: Requested
CVE Link<\/strong>: Requested
Advisory ID<\/strong>: usd-2025-0026<\/p>\n

Description<\/h3>\n

agorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.<\/p>\n

Proof of Concept<\/h3>\n

agorum core is affected by numerous reflected cross-site scripting (XSS) vulnerabilities across a wide range of parameters, indicating a lack of proper input sanitization and output encoding. These flaws can be exploited by attackers to inject malicious scripts, potentially compromising user sessions, stealing credentials, or defacing content. The widespread nature of the vulnerabilities suggests systemic issues in the application's input handling architecture.<\/p>\n

The following request can be crafted and sent to a victim. When opened, it executes JavaScript within the context of the victim\u2019s browser session:<\/p>\n

\n
<\/span>GET<\/span> \/roiwebui\/roiwebui_module\/BeginSSOLogin.jsp?userName=%22);}alert(document.domain);%3C\/script%3E<\/span> HTTP<\/span>\/<\/span>1.1
<\/span>Host<\/span>:<\/span> localhost
<\/span>[...]<\/span><\/pre>\n<\/div>\n
In the server's response, the user-supplied JavaScript is reflected and executed, resulting in an alert dialog, as demonstrated in the screenshot below:<\/p>\n
\"\"<\/p>\n
As previously mentioned, the payload above is provided as an example. There are numerous other endpoints that exhibit the same vulnerability. A non-exhaustive list includes:<\/p>\n