CVE-2025-51534
Published: 04 August 2025
Summary
CVE-2025-51534 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Craws Openatlas. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates and sanitizes inputs to the Name field, preventing injection of crafted XSS payloads by high-privilege attackers.
Filters and encodes information outputs when rendering the injected Name field in contexts like the delete button, blocking arbitrary script execution in victims' browsers.
Identifies, reports, and corrects the specific stored XSS flaw in OpenAtlas v8.11.0 through timely patching and remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables exploitation for privilege escalation (T1068) via arbitrary JS execution in victim browsers, JavaScript interpreter abuse (T1059.007), web session cookie theft for account takeover (T1539), and content injection (T1659).
NVD Description
A cross-site scripting (XSS) vulnerability in Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field.
Deeper analysisAI
CVE-2025-51534 is a cross-site scripting (XSS) vulnerability in OpenAtlas version 8.11.0, a software product from the Austrian Archaeological Institute (ÖAI). The issue, classified under CWE-79, enables attackers to inject a crafted payload into the Name field, resulting in the execution of arbitrary web scripts or HTML. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low complexity, and impacts on confidentiality and integrity with a changed scope.
The vulnerability can be exploited by attackers who possess high privileges (PR:H), such as authenticated users with elevated access in the OpenAtlas system. By injecting a malicious payload into the Name field, the attacker creates a stored XSS condition. This payload executes when another user with required privileges interacts with the affected content, such as viewing a delete button, requiring user interaction (UI:R) to trigger in the victim's browser context. Successful exploitation can compromise confidentiality and integrity at a high level, potentially allowing data theft or manipulation across scoped boundaries.
Advisories referenced in the CVE, primarily from sec4you-pentest.com, detail the stored nested XSS in the delete button context, as described at https://www.sec4you-pentest.com/schwachstelle/openatlas-stored-nested-xss-delete-button/ and related pages. These sources provide technical vulnerability information but do not specify patches or mitigations in the available CVE data.
Details
- CWE(s)