CVE-2025-40709 — MEDIUM (5.4)

Vulnerability Description

Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/person/<ID>” petition, "name" and "alias-0” parameters.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Craws	Openatlas	8.9.0

Related Weaknesses (CWE)

CWE-79

References

https://github.com/craws/OpenAtlasProduct
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-cross-site-scriptingThird Party Advisory

FAQ

What is CVE-2025-40709?

CVE-2025-40709 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST req...

How severe is CVE-2025-40709?

CVE-2025-40709 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-40709?

Check the references section above for vendor advisories and patch information. Affected products include: Craws Openatlas.