OpenAtlas

INCIBE, the Spanish National Cybersecurity Institute, kindly made us aware of possible vulnerabilities reported by Andrea Intilangelo related to user input validation yesterday.
Most likely these were introduced unintentionally at recent system wide refactoring.

These vulnerabilities were not very serious/practical in the way OpenAtlas is used: a registered user with right access could have injected JavaScript via form fields. But a user with right access could wreck havoc anyway, that's what backups are for. Nevertheless we of course fixed these issues immediately and released them today with 8.10.1.

Thanks to Andrea Intilangelo and INCIBE for making us aware of it.