CVE-2025-40707

Name of the Vulnerable Software and Affected Versions OpenAtlas version 8.9.0

Description A Cross-Site Scripting (XSS) issue exists due to inadequate validation of user input when a POST request is sent. This could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details. The vulnerability occurs via the /insert/place API endpoint, specifically through the name and alias-0 parameters.

Recommendations Ensure proper validation and sanitization of user input for the name and alias-0 parameters when handling POST requests to the /insert/place API endpoint.