Cyber Posture

CVE-2025-60915

High

Published: 24 November 2025

Published
24 November 2025
Modified
28 November 2025
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 30.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses path traversal by requiring validation of the size query parameter in /views/file.py to detect and block malicious directory traversal inputs.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific flaw in Openatlas versions before v8.12.0 by patching or upgrading to the fixed version.

SC-7 Boundary Protection partial match
prevent

Boundary protection at web interfaces can filter crafted HTTP requests containing path traversal sequences before they reach the vulnerable endpoint.

Security SummaryAI

CVE-2025-60915 is a path traversal vulnerability (CWE-22) affecting the size query parameter in the /views/file.py endpoint of the Austrian Archaeological Institute's Openatlas software in versions before v8.12.0. Published on 2025-11-24, it enables attackers to traverse directory paths through a crafted HTTP request, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

An attacker with low privileges (PR:L), such as an authenticated user, can exploit this remotely over the network with low complexity and no user interaction required. Exploitation allows high confidentiality and integrity impacts, potentially enabling unauthorized access to sensitive files, including local file inclusion for exfiltrating configuration data.

Advisories recommend upgrading to Openatlas v8.12.0 or later to mitigate the issue. Further details on the vulnerability, including proof-of-concept exploitation, are documented at https://www.sec4you-pentest.com/schwachstelle/openatlas-schwachstelle-lfi-konfigurationsdatei-exfiltration/ and https://www.sec4you-pentest.com/schwachstellen/.

Details

CWE(s)
CWE-22

Affected Products

craws
openatlas
≤ 8.12.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal vulnerability in public-facing web application endpoint (/views/file.py) enables remote exploitation by low-privileged authenticated users to access and exfiltrate sensitive local files including configuration data, directly mapping to Exploit Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References