Agorum core Plaintext Password Storage Vulnerability (CVE-2025-52164)

Critical Vulnerability Information Product: Agorum core open Affected Version: 11.9.1.3-1857 Vulnerability Type: Passwords Stored in Plain Text (CWE-256) Security Risk: High Vendor: Agorum Vendor URL: https://www.agorum.com/ Vendor Confirmed Vulnerability: Yes Vendor Status: Fixed CVE ID: CVE-2025-52164 CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-52164 Announcement ID: USD-2025-0023 Description Agorum core is an open-source enterprise content management system (ECM) developed by Agorum Software GmbH, Germany. During installation, the system administrator must define passwords for the manadmin, demo, and database users. After successful installation, a data form is created in the agorumcore/doc directory. The file agorum-core-dataset.txt contains the previously defined passwords. Proof of Concept The data form for Agorum core includes multiple directories and scripts, along with information about various interfaces and ports. Remediation Recommendation It is recommended to securely hash passwords using strong encryption algorithms to ensure they are not stored in plain text. References https://cwe.mitre.org/data/definitions/256.html Timeline 2025-05-05: Initial contact via email 2025-05-05: Vendor acknowledges and begins investigation 2025-05-07: Vendor begins addressing and fixing the issue 2025-05-15: Vendor confirms fix and applies it to cloud instances 2025-05-20: Patched versions 11.9.2 and 11.10.1 released 2025-05-27: This security advisory published Acknowledgments This security vulnerability was discovered by Jason Steng, Roman Hegenstetter, Florian Kirmes, Kai Glauber, DA, and Ole Wagner of usd AG.

Goal Reached Thanks to every supporter — we hit 100%!

Agorum core Plaintext Password Storage Vulnerability (CVE-2025-52164)

More from this source