CVE-2025-60915 is a path traversal vulnerability identified in the Austrian Archaeological Institute's Openatlas software, specifically in the handling of the 'size' query parameter within the /views/file.py file. The vulnerability stems from insufficient sanitization of user-supplied input, allowing attackers to manipulate the file path and access files outside the intended directory structure. This can lead to unauthorized disclosure of sensitive information, including configuration files, credentials, or other protected data stored on the server. The vulnerability requires the attacker to have low-level privileges (PR:L) but does not require user interaction (UI:N), making it relatively straightforward to exploit once access is gained. The CVSS 3.1 base score of 8.1 reflects the high impact on confidentiality and integrity, with network attack vector (AV:N) and low attack complexity (AC:L). Although no public exploits have been reported yet, the presence of this vulnerability in a specialized software used by archaeological and research institutions poses a significant risk. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common and well-understood class of security flaws. The lack of available patches at the time of publication necessitates immediate attention from affected organizations to implement compensating controls and monitor for suspicious activity.

For European organizations, particularly those involved in archaeological research, cultural heritage preservation, and academic institutions using Openatlas, this vulnerability poses a serious risk. Exploitation could lead to unauthorized access to sensitive research data, personal information of researchers or subjects, and internal system files, potentially causing data breaches and intellectual property theft. The integrity of research data could be compromised, undermining the validity of ongoing projects. Additionally, attackers could leverage accessed files to escalate privileges or move laterally within the network. Given the specialized nature of Openatlas, the impact is concentrated but critical for affected entities. The breach of confidentiality and integrity could also damage institutional reputation and lead to regulatory penalties under GDPR if personal data is exposed. The absence of known exploits reduces immediate widespread risk but does not diminish the urgency for mitigation due to the ease of exploitation and high potential impact.

Organizations should immediately upgrade Openatlas to version 8.12.0 or later once available to address this vulnerability. Until a patch is applied, implement strict input validation and sanitization on all parameters, especially the 'size' query parameter, to prevent path traversal sequences such as '../'. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attempts targeting the affected endpoint. Restrict file system permissions to limit the accessible directories and files by the Openatlas application user, minimizing the potential damage from exploitation. Conduct thorough logging and monitoring of access to the /views/file.py endpoint and unusual file access patterns. Educate system administrators and developers about CWE-22 risks and secure coding practices. Regularly audit and review application configurations and access controls. Finally, prepare incident response plans specific to data breaches involving research data and intellectual property.