CVE-2025-60916
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian Archaeological Institute Openatlas allows attackers to inject malicious scripts via the charge parameter. When exploited, this enables execution of arbitrary JavaScript in the victim's browser context, potentially compromising user sessions or performing unauthorized actions. This affects all Openatlas installations before version 8.12.0.
💻 Affected Systems
- Austrian Archaeological Institute Openatlas
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or perform actions on behalf of authenticated users.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
Limited impact with proper input validation and output encoding, though some user interface manipulation may still occur.
🎯 Exploit Status
Exploitation requires tricking a user into clicking a malicious link containing the crafted charge parameter payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.12.0
Vendor Advisory: https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-reflected-dom-based-xss-charge/
Restart Required: Yes
Instructions:
1. Backup your Openatlas installation and database. 2. Download Openatlas version 8.12.0 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the web server service.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allImplement WAF rules to block malicious charge parameter payloads containing script tags or JavaScript.
Input Validation Filter
allAdd server-side validation to sanitize or reject malicious input in the charge parameter.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources.
- Disable or restrict access to the /overview/network/ endpoint if not required.
🔍 How to Verify
Check if Vulnerable:
Test by accessing the /overview/network/ endpoint with a charge parameter containing a simple XSS payload like <script>alert('test')</script> and check if it executes.Check Version:
Check the Openatlas version in the application's admin interface or configuration files.Verify Fix Applied:
After patching, repeat the vulnerability test; the payload should be properly sanitized and not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual or malicious patterns in charge parameter values in web server access logs.
Network Indicators:
- HTTP requests to /overview/network/ with suspicious charge parameter content.
SIEM Query:
source="web_server_logs" AND uri_path="/overview/network/" AND (query_string="*charge=*<script>*" OR query_string="*charge=*javascript:*")