CVE-2025-60916: Openatlas Reflected XSS Vulnerability – Secure Your Archaeological Data!

Overview

CVE-2025-60916 is a medium-severity reflected Cross-Site Scripting (XSS) vulnerability affecting Openatlas, an open-source platform used in archaeological research. Specifically, versions prior to v8.12.0 are susceptible. This vulnerability allows a remote attacker to inject arbitrary JavaScript code into a user’s browser session, potentially leading to data theft, session hijacking, or defacement of the application.

Technical Details

The vulnerability exists in the /overview/network/ endpoint of Openatlas. By crafting a malicious payload and injecting it into the charge parameter of the URL, an attacker can trigger the execution of arbitrary JavaScript code when a user clicks on the crafted link. Because the input is not properly sanitized before being reflected back to the user, the browser interprets the injected code as legitimate part of the webpage, executing it within the user’s session.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-60916 a score of 5.4, indicating a MEDIUM severity. This score reflects the following factors:

• Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over a network.
• Attack Complexity (AC): Low (L) – The vulnerability is relatively easy to exploit.
• Privileges Required (PR): None (N) – No special privileges are needed to exploit the vulnerability.
• User Interaction (UI): Required (R) – User interaction is required, such as clicking on a malicious link.
• Scope (S): Changed (C) – An exploited vulnerability can affect resources beyond the attacker’s control.
• Confidentiality Impact (C): Low (L) – There may be some limited information disclosure.
• Integrity Impact (I): Low (L) – Data modification is possible.
• Availability Impact (A): None (N) – No impact on the availability of the system.

Possible Impact

Successful exploitation of this vulnerability can lead to several negative consequences:

• Account Compromise: An attacker could potentially steal user credentials or session cookies, gaining unauthorized access to user accounts.
• Data Theft: Sensitive data displayed on the Openatlas platform could be stolen.
• Malware Distribution: The attacker could inject malicious scripts to redirect users to phishing sites or distribute malware.
• Website Defacement: The attacker could alter the appearance of the Openatlas website, causing reputational damage.

Mitigation and Patch Steps

To mitigate the risk of CVE-2025-60916, the following steps are recommended:

1. Upgrade Openatlas: The most effective solution is to upgrade to Openatlas version 8.12.0 or later. This version includes a patch that addresses the XSS vulnerability.
2. Input Validation: If upgrading is not immediately possible, implement strict input validation and sanitization on the charge parameter in the /overview/network/ endpoint. Ensure that any user-supplied data is properly encoded before being displayed on the page.
3. Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to filter out malicious requests that attempt to exploit the XSS vulnerability. Configure the WAF with rules to block known XSS patterns.
4. User Awareness: Educate users about the dangers of clicking on suspicious links and opening attachments from untrusted sources.

References

sec4you-pentest.com: Openatlas Reflected DOM-Based XSS Charge Vulnerability
sec4you-pentest.com: Schwachstellen (Vulnerabilities)