Skip to main content

agorum core open CVE-2025-52162

MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2025-07-18 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
7.5 HIGH

XXE primitives typically yield full local file read (C:H); no direct integrity or availability impact is established by the read-only XXE description.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 02:14 vuln.today

DescriptionCVE.org

agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input.

AnalysisAI

XML External Entity (XXE) injection in agorum core open's RSSReader endpoint enables remote attackers to exfiltrate sensitive server-side data by submitting crafted XML payloads. Affected versions are v11.9.2 and v11.10.1 of this document management platform. EPSS exploitation probability sits at 0.22% (13th percentile), no public exploit code has been identified, and the vulnerability is not listed in CISA's KEV catalog - indicating low observed exploitation pressure despite the network-accessible, unauthenticated attack surface described by the CVSS vector.

Technical ContextAI

CWE-611 (Improper Restriction of XML External Entity Reference) describes the root cause: the XML parser backing the RSSReader endpoint resolves external entity declarations supplied by the caller, allowing reference to local file system paths (e.g., file:///etc/passwd) or internal network resources via SSRF. RSS is inherently XML-based, and document management systems such as agorum core open commonly implement RSS feed ingestion to aggregate content from external sources. When the XML parser is not hardened to disable DOCTYPE declarations and external entity resolution, any caller who can reach the endpoint can craft a document that causes the server to fetch and echo back arbitrary resources accessible to the application's process account. The affected product is agorum core open, a self-hosted ECM/DMS platform by agorum Software GmbH, versions 11.9.2 and 11.10.1.

Affected ProductsAI

agorum core open versions 11.9.2 and 11.10.1 by agorum Software GmbH are confirmed affected. No CPE strings were included in the provided data. The vulnerability is specific to the RSSReader endpoint component. Deployments on any operating system hosting these versions are in scope. The vendor advisory and full technical details are published by HeroLab at https://herolab.usd.de/security-advisories/usd-2025-0024/.

RemediationAI

No specific patched version number was included in the available intelligence; consult the HeroLab advisory at https://herolab.usd.de/security-advisories/usd-2025-0024/ and the agorum vendor channel for confirmed fix versions before upgrading. As an immediate compensating control, restrict network access to the RSSReader endpoint at the perimeter or application firewall layer - blocking unauthenticated external reach to this endpoint eliminates the remote attack surface with no functional loss for deployments that do not expose it publicly. Additionally, if the application server permits it, configure the underlying XML parser to disable DOCTYPE declarations and external entity resolution (e.g., via XMLInputFactory or SAXParserFactory flags in Java environments), which neutralizes XXE regardless of input source. Patch availability per vendor advisory is the authoritative remediation; compensating controls should be treated as temporary.

Share

CVE-2025-52162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy