Skip to main content

agorum core CVE-2025-52169

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-07-18 cve@mitre.org
7.1
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Reflected XSS is network-delivered, low-complexity, needs no auth but requires a victim click (UI:R); it crosses into the browser context (S:C) with low C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 01:31 vuln.today

DescriptionCVE.org

agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.

AnalysisAI

Reflected cross-site scripting in agorum core open versions 11.9.2 and 11.10.1 allows attackers to inject and execute arbitrary JavaScript in a victim's browser session by luring an authenticated or unauthenticated user into clicking a crafted link. The flaw was disclosed in usd HeroLab advisory usd-2025-0026 and carries a CVSS 7.1 rating driven by a scope change (S:C). No public exploit has been identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

agorum core is an open-source enterprise content management (ECM) and document management system (DMS) developed by agorum Software GmbH, typically deployed as a web application for collaborative document handling and workflow. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected variant where attacker-controlled input in a request parameter is echoed back into an HTTP response without adequate output encoding or context-aware sanitization, causing the browser to parse it as executable script. No CPE strings were supplied in the intelligence feed, so the exact affected components/endpoints are known only from the vendor advisory scope of versions 11.9.2 and 11.10.1.

Affected ProductsAI

agorum core open versions 11.9.2 and 11.10.1 from agorum Software GmbH are confirmed affected per the disclosure; no CPE identifiers were provided in the intelligence sources, and the version list should be treated as the specific builds tested rather than a proven exhaustive range. Details are documented in the usd HeroLab security advisory at https://herolab.usd.de/security-advisories/usd-2025-0026/, which is the authoritative reference for the affected scope.

RemediationAI

Consult the usd HeroLab advisory at https://herolab.usd.de/security-advisories/usd-2025-0026/ and apply the vendor's fixed release once available; no vendor-released patch version was included in the provided data, so no fixed version is independently confirmed at time of analysis. As compensating controls, deploy a Content-Security-Policy that disallows inline script execution to blunt reflected XSS payloads (side effect: may break legitimate inline scripts and require tuning), place the application behind a WAF with reflected-XSS signatures on the vulnerable parameters, restrict agorum core exposure to trusted networks or VPN rather than the public internet, and enable the HttpOnly flag on session cookies so injected script cannot read them (side effect: breaks any client-side code that legitimately reads those cookies). Advise users not to click untrusted agorum core links until patched.

Share

CVE-2025-52169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy