← Back

Orientdb

orientdb

Vendor: Orientdb • 7 CVEs

CVEs (7)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2019-25449
1Orientdb
1Orientdb
Feb 24, 2026
Feb 20, 2026
5.1 MEDIUM· v4
6.1 MEDIUM· v3
N/A· v2
OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. Attackers can send POST requests to...Show more
OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. Attackers can send POST requests to /document/demodb/-1:-1 with script tags in the name parameter to execute arbitrary JavaScript in users' browsers.Show less
CVE-2019-25448
1Orientdb
1Orientdb
Feb 24, 2026
Feb 20, 2026
5.1 MEDIUM· v4
6.4 MEDIUM· v3
N/A· v2
OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST r...Show more
OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application.Show less
CVE-2019-25447
1Orientdb
1Orientdb
Feb 24, 2026
Feb 20, 2026
5.3 MEDIUM· v4
3.5 LOW· v3
N/A· v2
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /d...Show more
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.Show less
CVE-2017-11467
1Orientdb
1Orientdb
May 13, 2026
Jul 20, 2017
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
CVE-2015-2918
1Orientdb
1Orientdb
May 6, 2026
Dec 31, 2015
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
The Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks...Show more
The Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site.Show less
CVE-2015-2913
1Orientdb
1Orientdb
May 6, 2026
Dec 31, 2015
N/A· v4
5.9 MEDIUM· v3
4.3 MEDIUM· v2
server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of ra...Show more
server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.Show less
CVE-2015-2912
1Orientdb
1Orientdb
May 6, 2026
Dec 31, 2015
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request...Show more
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.Show less