CVE-2015-2912

Published: Dec 31, 2015Modified: May 6, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.

Affected (2)

Products: Orientdb: Orientdb

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Orientdb Orientdb	Up to 2.0.14
Orientdb Orientdb	Version 2.1.0

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://github.com/orientechnologies/orientdb/issues/4824

Source: cret@cert.org

Vendor Advisory

https://www.kb.cert.org/vuls/id/845332

Source: cret@cert.org

Third Party AdvisoryUS Government Resource

https://github.com/orientechnologies/orientdb/issues/4824

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.kb.cert.org/vuls/id/845332

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.