Cross-Site Scripting Vulnerability in OpenAtlas by Austrian Centre for Digital Humanities
CVE-2025-40708

5.1MEDIUM

Key Information:

Vendor

Acdh-ch

Status
Openatlas
Vendor
CVE Published:
29 August 2025

What is CVE-2025-40708?

A Cross-Site Scripting (XSS) vulnerability exists in OpenAtlas v8.9.0 due to insufficient validation of user input when handling POST requests. This flaw may enable remote attackers to craft malicious queries that could compromise authenticated users by stealing their session cookies through the '/insert/event' endpoint, specifically via the 'name' parameter.

Affected Version(s)

OpenAtlas 8.9.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...
https://github.com/craws/OpenAtlas

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Intilangelo (acme)
.