Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Reflected XSS is network-delivered, low-complexity, needs no auth but requires a victim click (UI:R); it crosses into the browser context (S:C) with low C/I/A impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability.
AnalysisAI
Reflected cross-site scripting in agorum core open versions 11.9.2 and 11.10.1 allows attackers to inject and execute arbitrary JavaScript in a victim's browser session by luring an authenticated or unauthenticated user into clicking a crafted link. The flaw was disclosed in usd HeroLab advisory usd-2025-0026 and carries a CVSS 7.1 rating driven by a scope change (S:C). No public exploit has been identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
agorum core is an open-source enterprise content management (ECM) and document management system (DMS) developed by agorum Software GmbH, typically deployed as a web application for collaborative document handling and workflow. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected variant where attacker-controlled input in a request parameter is echoed back into an HTTP response without adequate output encoding or context-aware sanitization, causing the browser to parse it as executable script. No CPE strings were supplied in the intelligence feed, so the exact affected components/endpoints are known only from the vendor advisory scope of versions 11.9.2 and 11.10.1.
Affected ProductsAI
agorum core open versions 11.9.2 and 11.10.1 from agorum Software GmbH are confirmed affected per the disclosure; no CPE identifiers were provided in the intelligence sources, and the version list should be treated as the specific builds tested rather than a proven exhaustive range. Details are documented in the usd HeroLab security advisory at https://herolab.usd.de/security-advisories/usd-2025-0026/, which is the authoritative reference for the affected scope.
RemediationAI
Consult the usd HeroLab advisory at https://herolab.usd.de/security-advisories/usd-2025-0026/ and apply the vendor's fixed release once available; no vendor-released patch version was included in the provided data, so no fixed version is independently confirmed at time of analysis. As compensating controls, deploy a Content-Security-Policy that disallows inline script execution to blunt reflected XSS payloads (side effect: may break legitimate inline scripts and require tuning), place the application behind a WAF with reflected-XSS signatures on the vulnerable parameters, restrict agorum core exposure to trusted networks or VPN rather than the public internet, and enable the HttpOnly flag on session cookies so injected script cannot read them (side effect: breaks any client-side code that legitimately reads those cookies). Advise users not to click untrusted agorum core links until patched.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today