Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via  the "/insert/event" petition, "name" parameter.
History

Tue, 02 Sep 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Craws
Craws openatlas
CPEs cpe:2.3:a:craws:openatlas:8.9.0:*:*:*:*:*:*:*
Vendors & Products Craws
Craws openatlas
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Fri, 29 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 29 Aug 2025 11:30:00 +0000

Type Values Removed Values Added
Description Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via  the "/insert/event" petition, "name" parameter.
Title Cross-Site Scripting (XSS) vulnerability in OpenAtlas by ACDH-CH
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2025-08-29T13:44:55.517Z

Reserved: 2025-04-16T08:38:19.332Z

Link: CVE-2025-40708

cve-icon Vulnrichment

Updated: 2025-08-29T13:44:50.110Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-29T12:15:32.237

Modified: 2025-09-02T13:32:17.563

Link: CVE-2025-40708

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.