Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password.
The vulnerability consists of a hardcoded password for the administrator account in the OpenAtlas application, which is a classic example of CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). An attacker who discovers or guesses this password (e.g., through source code or documentation analysis) can log into the administrator account without any additional authentication barriers. The attack vector is network-based and does not require prior authentication or user interaction.
An attacker gains full access to the application's administrator account, resulting in a breach of confidentiality, integrity, and availability of data — including the possibility of theft, modification, or deletion of archaeological data stored in the system.
Apply patches available from the manufacturer according to the references. As an immediate remedial action, change the administrator account password to a unique and strong password and restrict access to the administration panel exclusively to trusted IP addresses.
OpenAtlas v8.11.0 (Austrian Archaeological Institute)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCraws Openatlas
APPCraws< 8.12.0
Related vulnerabilities
SQL Injection w OpenAtlas v8.11.0 (Austrian Archaeological Institute)
An issue in the size query parameter (/views/file.py) of Austrian Archaeological Institute Openatlas before v8...
A cross-site scripting (XSS) vulnerability in Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 allows ...
Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to acc...
An issue in Austrian Academy of Sciences (AW) Austrian Archaeological Institute OpenAtlas v.8.12.0 allows a re...