Name of the Vulnerable Software and Affected Versions:

OpenAtlas version 8.9.0

Description:

A Cross-Site Scripting (XSS) issue exists in OpenAtlas due to insufficient validation of user input received through POST requests. This could allow a remote user to send crafted queries to an authenticated user, potentially stealing their session cookie details. The vulnerability is triggered via the `/insert/event` API endpoint, specifically through the `name` parameter.

Recommendations:

Ensure proper validation and sanitization of user input for the `name` parameter in the `/insert/event` API endpoint.