Agorum Core Plaintext Password Storage Vulnerability

A vulnerability exists in Agorum Core Open versions 11.9.2 and 11.10.1, where the application stores user passwords in plaintext. This issue was identified during the installation process, when passwords for the mainadmin, demo, and database users are created. The passwords are subsequently saved in a datasheet located in the agorumcore/doc directory, exposing sensitive credentials to unauthorized access. This plaintext storage of passwords poses a significant security risk, especially when combined with other vulnerabilities that could be exploited without authentication.

Impact

The plaintext storage of passwords creates a high security risk by exposing sensitive user credentials to unauthorized access. This vulnerability could lead to severe consequences, particularly if attackers can exploit other vulnerabilities without needing authentication.

Reproduction

To reproduce this vulnerability, install Agorum Core Open version 11.9.1.3-1857. During the installation, define passwords for the mainadmin, demo, and database users. After installation, a datasheet will be created in the agorumcore/doc directory. This datasheet will contain the passwords in plaintext, demonstrating the vulnerability.

Remediation

Users of Agorum Core Open should upgrade to versions 11.9.2 or 11.10.1.