Key Information Vulnerability Overview Vulnerability Type: Multiple Cross-Site Scripting (XSS) vulnerabilities Affected Software: OpenAtlas v8.9.0 Discoverer: Andrea Intralongo (acme) Release Date: August 28, 2025 Identifier: INCIBE-2025-0460 Severity: Medium (3 - Medium) Affected Resources OpenAtlas, version v8.9.0 Description INCIBE coordinated the disclosure of eight medium-severity vulnerabilities affecting OpenAtlas, discovered by the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH). These vulnerabilities have been assigned CVE identifiers from CVE-2025-40702 to CVE-2025-40709, with a CVSS v4.0 base score of 5.1. Solution The vulnerabilities have been fixed in version 8.10.1, which is available on GitHub. Details Multiple stored XSS vulnerabilities exist due to insufficient validation of user input during POST requests. These vulnerabilities could allow remote attackers to send specially crafted queries to authenticated users, potentially stealing their session cookie information. CVE List CVE-2025-40702: "creator" and "license_holder" parameters in "Insert/file" request CVE-2025-40703: "name" and "alias-0" parameters in "Insert/group" request CVE-2025-40704: "name" parameter in "Insert/edition" request CVE-2025-40705: "name" parameter in "Insert/acquisition" request CVE-2025-40706: "name" parameter in "Insert/source" request CVE-2025-40707: "name" and "alias-0" parameters in "Insert/place" request CVE-2025-40708: "name" parameter in "Insert/event" request CVE-2025-40709: "name" and "alias-0" parameters in "Insert/person/" request