Agorum core open CVE-2023-26169 Reflected XSS Vulnerability Advisory

Key Information Vulnerability Details Product: Agorum core open Affected Version: 11.9.1.3-1857 Vulnerability Type: Improper input neutralization during web page generation (Cross-Site Scripting) Security Risk Level: High Vendor: Agorum Vendor URL: https://www.agorum.com/ Vendor Confirmed Vulnerability: Yes Vendor Fix Status: Fixed CVE ID: CVE-2023-26169 Announcement ID: USD 2025-0026 Description Agorum core contains a Cross-Site Scripting (XSS) vulnerability affecting multiple parameters. This allows user-supplied JavaScript code to be reflected and executed, potentially leading to session credential theft or content tampering. Proof of Concept Example Request: In the server response, the user-supplied JavaScript is reflected and executed, triggering an alert box. Other Vulnerable Endpoints OpenDocumentMessage.jsp ShowSDSMessageBox.jsp SSC.jsp SSDConvertToPdf.jsp SSDFileListStart.jsp SSDPageSet.jsp SSDPrint.jsp SSDPortal.jsp SSDPortalWindow.jsp SSDPortalTextTermSet.jsp SDSearcMAsk.jsp SDSSearchMaskSet.jsp RBSExecuteSearch.jsp CreateNewWindowLoader.jsp RTSReadIn.jsp ReportingFrameSet.jsp Mitigation Recommendations Strongly recommend implementing robust input validation and output encoding strategies. Use libraries or frameworks that provide built-in XSS protection, and ensure all dynamic content is properly escaped according to context. Upgrade Recommendation Users should upgrade Agorum core open to versions 11.9.2 and 11.10.1. Timeline 2025-05-05: Initial contact via email 2025-05-05: Vendor acknowledged receipt and began investigation 2025-05-07: Vendor began addressing and fixing the issue 2025-05-15: Vendor resolved and patched the vulnerability in cloud instances 2025-05-30: Vendor released fixed versions 11.9.2 and 11.10.1 2025-06-27: This advisory published

Goal Reached Thanks to every supporter — we hit 100%!

Agorum core open CVE-2023-26169 Reflected XSS Vulnerability Advisory

More from this source