CVE-2015-2912

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
orientdborientdb
𝑥
≤ 2.0.14
orientdborientdb
2.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/orientechnologies/orientdb/issues/4824
https://www.kb.cert.org/vuls/id/845332
https://github.com/orientechnologies/orientdb/issues/4824
https://www.kb.cert.org/vuls/id/845332