usd-2025-0028 | agorum core open 11.9.1.3-1857 - Incorrect Authorization
Product: agorum core open
Affected Version: 1.9.1.3-1857
Vulnerability Type: Incorrect Authorization (CWE-863)
Security Risk: High
Vendor: agorum® Software GmbH
Vendor URL: https://www.agorum.com/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: Requested
CVE Link: Requested
Advisory ID: usd-2025-0028
Description
Agorum core open fails to check for administrative credentials on a large list of endpoints, allowing low privileged users to access admin functionality. This includes downloading server logs and stack traces, mass deleting files, changing access rights on uploaded files and more.
Additionally, after the first launch of a fresh installation, some of these endpoints are accessible without any authentication whatsoever. This allows for the listing of directories and endpoints in agorum core open, as well as downloading server logs and stack traces.
Proof of Concept
The following endpoints and their functionality can be accessed as a low privileged user.
- http://localhost/roiwebui/address_module/tools/ReindexAddressContainers.jsp
- http://localhost/roiwebui/roiprotocols_module/tools/SendMailFromMailbox.jsp
- http://localhost/roiwebui/roiwebui_module/tools/DownloadLog.jsp
- http://localhost/roiwebui/roiwebui_module/tools/Stacktrace.jsp
- http://localhost/roiwebui/roiwebui_module/tools/Stacktrace2.jsp
- http://localhost/roiwebui/roiwebui_module/tools/PrintIndexJson.jsp
- http://localhost/roiwebui/roiwebui_module/tools/MassDelete.jsp
- http://localhost/roiwebui/roiwebui_module/tools/ScopeAclTool.jsp
- http://localhost/roiwebui/roiwebui_module/tools/TestPerformance.jsp
Furthermore, the endpoints listed below can be accessed without authentication on the first launch after a fresh installation.
- http://localhost/roiwebui/
- http://localhost/roiwebui/roiwebui_module/tools/DownloadLog.jsp
- http://localhost/roiwebui/roiwebui_module/tools/Stacktrace.jsp
- http://localhost/roiwebui/roiwebui_module/tools/Stacktrace2.jsp
Fix
The following line can be added or adjusted in the given .jsp files to restrict access to administrative users only.
Users of agorum core open can upgrade to versions 11.9.2 or 11.10.1.
if (sessionController != null && sessionController.isAdminEnabled()) { ... }
References
Timeline
- 2025-05-05: First contact request via mail.
- 2025-05-05: The vendor has confirmed the delivery and has begun investigating the matter.
- 2025-05-07: The vendor has begun addressing and fixing the issue.
- 2025-05-15: The vendor has addressed and fixed the vulnerability within the cloud instances.
- 2025-05-30: The vendor released fixed versions 11.9.2 and 11.10.1.
- 2025-06-27: This advisory is published.
Credits
This security vulnerability was identified by Jakob Steeg, Roman Hergenreder, Florian Kimmes, Kai Glauber, DR and Ole Wagner of usd AG.