CVE-2025-40702 is a Cross-Site Scripting (XSS) vulnerability identified in version 8.9.0 of OpenAtlas, a software product developed by the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH). The vulnerability arises from improper neutralization of user input during web page generation, specifically when handling POST requests to the "/insert/file" endpoint. The affected parameters are "creator" and "license_holder", which do not adequately validate or sanitize user-supplied data. This flaw allows an authenticated remote attacker to craft malicious input that, when processed by the vulnerable endpoint, can execute arbitrary scripts in the context of the victim user's browser. The primary risk is the theft of session cookies, which can lead to session hijacking and unauthorized access to user accounts. The vulnerability requires the attacker to have some level of privileges (low privileges) and does not require user interaction beyond the victim visiting a maliciously crafted page or link. The CVSS 4.0 base score is 5.1, indicating a medium severity level, with network attack vector, low attack complexity, no privileges required for the attacker to initiate the attack, but some privileges needed to exploit the vulnerability, and user interaction is required. The vulnerability does not impact confidentiality, integrity, or availability directly but compromises user session confidentiality through cookie theft. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

For European organizations using OpenAtlas v8.9.0, particularly cultural heritage institutions, digital humanities research centers, and academic entities, this vulnerability poses a significant risk to user session security. Successful exploitation could allow attackers to hijack authenticated sessions, potentially leading to unauthorized access to sensitive data, manipulation of digital archives, or disruption of research workflows. Given that OpenAtlas is developed by an Austrian institution and likely used across European academic and cultural organizations, the impact could be widespread within this niche. The compromise of user sessions could also facilitate further attacks such as privilege escalation or data exfiltration. Although the vulnerability does not directly affect system availability or data integrity, the loss of session confidentiality undermines trust in the platform and could lead to reputational damage. Additionally, the medium severity score suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation, especially in environments where sensitive cultural or research data is managed.

1. Immediate mitigation should include implementing strict input validation and output encoding on the "creator" and "license_holder" parameters in the "/insert/file" POST request handler to neutralize potentially malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 3. Enforce secure cookie attributes such as HttpOnly and Secure flags to reduce the risk of cookie theft via XSS. 4. Conduct a thorough code review and security testing of all user input handling components in OpenAtlas to identify and remediate similar vulnerabilities. 5. Educate users about the risks of clicking on untrusted links and encourage the use of multi-factor authentication to mitigate session hijacking impacts. 6. Monitor network traffic and application logs for unusual activities that may indicate attempted exploitation. 7. Coordinate with ACDH-CH for timely patches or updates and apply them as soon as they become available. 8. Consider deploying Web Application Firewalls (WAF) with rules targeting XSS attack patterns specific to OpenAtlas endpoints as an interim protective measure.