CVE-2025-67076
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| omnispace | agora_project | to 25.6.4 (inc) |
| omnispace | agora_project | to 25.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a directory traversal flaw in the Omnispace Agora Project before version 25.10. It allows unauthenticated attackers to read files on the system by exploiting the misc controller's ExternalGetFile action. Attackers can manipulate the '_id' GET parameter to bypass filename checks and access files with extensions, potentially reading sensitive files such as configuration files or exported data depending on the server setup. [1]
How can this vulnerability impact me? :
The vulnerability allows attackers to read sensitive files on the server without authentication, which can lead to exposure of confidential information. This can compromise the security of the system by revealing configuration details or data exports. Additionally, related vulnerabilities in the same project can enable attackers to upload malicious files, execute code, and perform cross-site scripting attacks, increasing the risk of server compromise and data breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access files via the misc controller's ExternalGetFile action using the _id GET parameter to perform directory traversal. For example, sending crafted HTTP requests to the vulnerable endpoint to read files with extensions can reveal the vulnerability. Commands using curl or similar tools can be used to test this, such as: curl 'http://target/misc/ExternalGetFile?_id[]=../../../../etc/passwd.' (note the appended dot). Monitoring web server logs for unusual requests to the ExternalGetFile action with suspicious _id parameters can also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Agora Project to version 25.10 or later, where this vulnerability is fixed. Additionally, review and restrict access to the misc controller and ExternalGetFile action, and monitor for suspicious file read attempts. For related vulnerabilities, consider disabling MSL in Imagick's policy.xml by adding `<policy domain="coder" rights="none" pattern="MSL"/>` to prevent code execution via crafted files. [1]