CVE-2025-60917
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in Austrian Archaeological Institute Openatlas allows attackers to inject malicious scripts via the color parameter in the /overview/network/ endpoint. This enables execution of arbitrary JavaScript in users' browsers when they visit a crafted URL. Users of Openatlas versions before 8.12.0 are affected.
💻 Affected Systems
- Austrian Archaeological Institute Openatlas
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal user session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via browser exploitation.
Likely Case
Session hijacking, credential theft, or defacement of the application interface through injected content.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Exploitation requires tricking users into clicking a malicious link containing the crafted payload in the color parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.12.0
Vendor Advisory: https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-xss-in-farb-feldern-ort/
Restart Required: Yes
Instructions:
1. Backup your Openatlas installation and database. 2. Download Openatlas version 8.12.0 or later from the official repository. 3. Replace the existing installation with the patched version. 4. Restart the web server service.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject or sanitize malicious input in the color parameter.
Modify the endpoint handler to validate color parameter against a whitelist of safe values
Web Application Firewall (WAF) Rule
allDeploy a WAF rule to block requests containing XSS payloads in the color parameter.
Add rule: 'block requests where query string contains <script> or javascript:' in color parameter
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources.
- Disable or restrict access to the /overview/network/ endpoint if not required for operations.
🔍 How to Verify
Check if Vulnerable:
Test by accessing the endpoint with a payload like: /overview/network/?color=<script>alert('XSS')</script> and check if script executes.Check Version:
Check the Openatlas version in the application's admin interface or configuration files.Verify Fix Applied:
After patching, repeat the test payload; script execution should be prevented and input sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /overview/network/ with suspicious strings like <script>, javascript:, or encoded payloads in the color parameter.
Network Indicators:
- Unusual outbound connections from user browsers after visiting the /overview/network/ endpoint.
SIEM Query:
source="web_server_logs" AND uri_path="/overview/network/" AND query_string MATCHES "color=.*[<script>|javascript:].*"