Cross-Site Scripting Vulnerability in OpenAtlas by ACDH-CH

CVE-2025-40707

What is CVE-2025-40707?

A Cross-Site Scripting (XSS) vulnerability exists in OpenAtlas version 8.9.0, which originates from inadequate validation of user input during POST requests. This flaw enables a remote attacker to craft malicious queries targeting authenticated users. If exploited, an attacker could potentially capture session cookies through manipulated parameters in the '/insert/place' endpoint, specifically leveraging the 'name' and 'alias-0' fields. This would compromise user sessions and grant unauthorized access to the attacker's session hijacking attempts.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References