CVE-2025-40702
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 allows remote attackers to inject malicious scripts via the 'creator' and 'license_holder' parameters in POST requests to '/insert/file'. This could enable session cookie theft from authenticated users. Organizations using OpenAtlas v8.9.0 for digital humanities and cultural heritage projects are affected.
💻 Affected Systems
- OpenAtlas
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover through session hijacking, leading to unauthorized data access/modification, privilege escalation, and potential data exfiltration from the cultural heritage database.
Likely Case
Session cookie theft allowing attacker to impersonate authenticated users, potentially accessing sensitive cultural heritage data and performing unauthorized actions within their permission scope.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting the specific user session without broader system compromise.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a malicious page or submitting crafted data, but the XSS payload execution is straightforward once delivered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-cross-site-scripting-xss-vulnerabilities-openatlas-acdh-ch
Restart Required: No
Instructions:
1. Monitor the OpenAtlas GitHub repository for security updates. 2. Apply any available patches from the vendor. 3. Verify the fix by testing the vulnerable parameters with XSS payloads.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side validation and HTML encoding for user input in 'creator' and 'license_holder' parameters before processing or displaying.
Content Security Policy (CSP)
allDeploy a strict CSP header to mitigate XSS impact by restricting script execution sources.
Add to web server config: Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Disable or restrict access to the '/insert/file' endpoint if not essential for operations.
🔍 How to Verify
Check if Vulnerable:
Test by submitting XSS payloads (e.g., <script>alert('XSS')</script>) in 'creator' or 'license_holder' parameters via POST to '/insert/file' and check if script executes.Check Version:
Check OpenAtlas version in application interface or configuration files; typically visible in admin panel or via 'cat' commands on deployment files.Verify Fix Applied:
Retest with XSS payloads after applying fixes; successful fix should show encoded output or blocked requests without script execution.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to '/insert/file' with script tags or JavaScript in parameters
- Multiple failed login attempts following suspicious file insertions
Network Indicators:
- HTTP traffic containing XSS patterns in POST body to vulnerable endpoint
- Unexpected outbound connections from server after file insertion
SIEM Query:
source="web_logs" AND uri_path="/insert/file" AND (http_method="POST") AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")