Cybersecurity Vulnerabilities

CVE-2025-60915: Openatlas Path Traversal Vulnerability Exploited!

November 24, 2025 - By 

Overview

CVE-2025-60915 describes a path traversal vulnerability found in Austrian Archaeological Institute Openatlas before version 8.12.0. Specifically, the vulnerability exists within the size query parameter of the /views/file.py script. This flaw allows attackers to potentially access sensitive files and directories on the server by crafting malicious requests.

This vulnerability was published on 2025-11-24T16:15:50.727.

Technical Details

The vulnerability resides in how the /views/file.py script handles the size query parameter. Insufficient sanitization of this parameter allows an attacker to inject directory traversal sequences (e.g., ../) into the file path being constructed. By manipulating the size parameter, an attacker can potentially navigate outside the intended directory and access arbitrary files on the server, leading to information disclosure.

Example vulnerable URL (hypothetical): /views/file.py?size=../../../../etc/passwd. This URL is an illustration of how an attacker may try to read the contents of /etc/passwd.

CVSS Analysis

The provided information indicates that the severity and CVSS score for CVE-2025-60915 are currently marked as “N/A”. This may be due to the score not being calculated yet or because the scoring is dependent on specific deployment configurations. A proper risk assessment for specific deployments will need to consider what types of files are accessible and the privileges of the webserver process.

Severity: N/A

CVSS Score: N/A

Possible Impact

The exploitation of this path traversal vulnerability can have significant consequences:

  • Information Disclosure: Attackers could potentially access sensitive configuration files, source code, or user data.
  • Privilege Escalation (Potentially): In some cases, access to certain files could lead to privilege escalation if the attacker can obtain credentials or other sensitive information.
  • System Compromise: Depending on the accessible files and server configuration, a successful exploit could potentially lead to full system compromise.

Mitigation or Patch Steps

The primary mitigation step is to upgrade Openatlas to version 8.12.0 or later. This version should contain a patch that properly sanitizes the size query parameter and prevents path traversal attacks.

If upgrading immediately is not feasible, consider the following temporary workarounds:

  • Input Validation: Implement strict input validation on the size parameter to prevent the inclusion of directory traversal sequences (e.g., ../).
  • Web Application Firewall (WAF): Deploy a WAF with rules to detect and block requests containing path traversal attempts.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *