CVE-2025-40702

Name of the Vulnerable Software and Affected Versions OpenAtlas version 8.9.0

Description A Cross-Site Scripting (XSS) issue exists in OpenAtlas due to insufficient validation of user input received through POST requests. This could allow a remote user to send crafted queries to an authenticated user, potentially stealing session cookie details. The vulnerability is triggered via the /insert/file API endpoint, specifically through the creator and license holder parameters.

Recommendations Ensure proper validation and sanitization of user input for the creator and license holder parameters in the /insert/file API endpoint.