CVE-2025-67076
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: MITRE

Description
Directory traversal vulnerability in Omnispace Agora Project before 25.10 allowing unauthenticated attackers to read files on the system via the misc controller and the ExternalGetFile action. Only files with an extension can be read.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67076
EUVD
EUVD-2026-2762
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
omnispace agora_project to 25.6.4 (inc)
omnispace agora_project to 25.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a directory traversal flaw in the Omnispace Agora Project before version 25.10. It allows unauthenticated attackers to read files on the system by exploiting the misc controller's ExternalGetFile action. Attackers can manipulate the '_id' GET parameter to bypass filename checks and access files with extensions, potentially reading sensitive files such as configuration files or exported data depending on the server setup. [1]

Impact Analysis

The vulnerability allows attackers to read sensitive files on the server without authentication, which can lead to exposure of confidential information. This can compromise the security of the system by revealing configuration details or data exports. Additionally, related vulnerabilities in the same project can enable attackers to upload malicious files, execute code, and perform cross-site scripting attacks, increasing the risk of server compromise and data breaches. [1]

Detection Guidance

This vulnerability can be detected by attempting to access files via the misc controller's ExternalGetFile action using the _id GET parameter to perform directory traversal. For example, sending crafted HTTP requests to the vulnerable endpoint to read files with extensions can reveal the vulnerability. Commands using curl or similar tools can be used to test this, such as: curl 'http://target/misc/ExternalGetFile?_id[]=../../../../etc/passwd.' (note the appended dot). Monitoring web server logs for unusual requests to the ExternalGetFile action with suspicious _id parameters can also help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the Agora Project to version 25.10 or later, where this vulnerability is fixed. Additionally, review and restrict access to the misc controller and ExternalGetFile action, and monitor for suspicious file read attempts. For related vulnerabilities, consider disabling MSL in Imagick's policy.xml by adding `<policy domain="coder" rights="none" pattern="MSL"/>` to prevent code execution via crafted files. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart