Multiple Cross-Site Scripting (XSS) vulnerabilities in OpenAtlas by ACDH-CH
OpenAtlas, 8.9.0 version.
INCIBE has coordinated the publication of eight medium-severity vulnerabilities affecting OpenAtlas, an open-source database software developed specifically to acquire, edit, and manage research data from various fields of the humanities, such as history, archaeology, and cultural heritage, as well as related scientific data—version 8.9.0. These vulnerabilities were discovered by Andrea Intilangelo (acme).
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- from CVE-2025-40702 to CVE-2025-40709: 5.1 | CVSS:4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerabilities have been fixed by the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH) team in version 8.10.1, available at https://github.com/craws/OpenAtlas.
There are several stored Cross-Site Scripting (XSS) vulnerabilities in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details.
For each identifier, the relationship between POST requests and parameters is as follows:
- CVE-2025-40702: "/insert/file" petition, "creator" and "license_holder" parameters;
- CVE-2025-40703: "/insert/group" petition, "name" and "alias-0” parameters;
- CVE-2025-40704: "/insert/edition" petition, "name" parameter;
- CVE-2025-40705: "/insert/acquisition" petition, "name" parameter;
- CVE-2025-40706: "/insert/source" petition, "name" parameter;
- CVE-2025-40707: "/insert/place" petition, "name" and "alias-0” parameters;
- CVE-2025-40708: "/insert/event" petition, "name" parameter;
- CVE-2025-40709: "/insert/person/<ID>” petition, "name" and "alias-0” parameters;
