CVE-2025-60916 identifies a reflected cross-site scripting (XSS) vulnerability in the Openatlas software developed by the Austrian Archaeological Institute, specifically affecting the /overview/network/ endpoint. This vulnerability arises due to insufficient sanitization of user-supplied input in the 'charge' parameter, allowing attackers to inject malicious JavaScript code that is reflected back in the HTTP response. When a victim accesses a crafted URL containing the malicious payload, the script executes within their browser context, potentially enabling attackers to hijack user sessions, steal cookies, manipulate the DOM, or redirect users to malicious sites. The vulnerability is present in versions prior to 8.12.0, with no patch links currently provided but an update to 8.12.0 presumably addressing the issue. No authentication or user interaction beyond visiting a malicious link is required, making exploitation relatively straightforward. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to users of Openatlas, particularly in academic and cultural heritage sectors that rely on this software for archaeological data management. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, especially those involved in archaeological research, cultural heritage management, and academic institutions using Openatlas, this vulnerability could lead to unauthorized access to sensitive research data, user credential compromise, and potential disruption of services. The reflected XSS can be leveraged to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, phishing attacks, or malware delivery. This undermines the confidentiality and integrity of user sessions and data. Given the specialized nature of Openatlas, the impact is more concentrated within research and cultural sectors but could also affect collaborative projects and data sharing platforms. The vulnerability could erode trust in digital research tools and expose organizations to reputational damage and regulatory scrutiny under GDPR if personal data is compromised.

The primary mitigation is to upgrade Openatlas installations to version 8.12.0 or later, where the vulnerability is addressed. In the absence of an immediate upgrade, organizations should implement strict input validation and output encoding on the 'charge' parameter to neutralize malicious scripts. Web application firewalls (WAFs) can be configured to detect and block typical XSS payloads targeting this endpoint. Additionally, security awareness training should inform users about the risks of clicking on suspicious links. Implementing Content Security Policy (CSP) headers can reduce the impact of successful XSS exploitation by restricting script execution sources. Regular security assessments and code reviews of custom integrations with Openatlas are recommended to identify similar injection points. Monitoring logs for unusual requests to the /overview/network/ endpoint can help detect exploitation attempts early.