Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/person/<ID>” petition, "name" and "alias-0” parameters.
Metrics
Affected Vendors & Products
References
History
Tue, 02 Sep 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Craws
Craws openatlas |
|
CPEs | cpe:2.3:a:craws:openatlas:8.9.0:*:*:*:*:*:*:* | |
Vendors & Products |
Craws
Craws openatlas |
|
Metrics |
cvssV3_1
|
Fri, 29 Aug 2025 12:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 29 Aug 2025 11:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/person/<ID>” petition, "name" and "alias-0” parameters. | |
Title | Cross-Site Scripting (XSS) vulnerability in OpenAtlas by ACDH-CH | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: INCIBE
Published:
Updated: 2025-08-29T11:50:38.804Z
Reserved: 2025-04-16T08:38:19.332Z
Link: CVE-2025-40709

Updated: 2025-08-29T11:50:34.283Z

Status : Analyzed
Published: 2025-08-29T12:15:32.447
Modified: 2025-09-02T13:31:57.053
Link: CVE-2025-40709

No data.

No data.