CVE-2015-2912

HIGH

OrientDB Server Community Edition <2.0.15 & <2.1.x - CSRF

Title source: llm

Description

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2015-2912-orientdb-vulnerable

View Code ZIP pw:eip

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2015-2912-orientdb-vulnerable

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://github.com/orientechnologies/orientdb/issues/4824

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/845332

Scores

CVSS v3 8.8

EPSS 0.0021

EPSS Percentile 43.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (3)

com.orientechnologies/orientdb-studio 0 - 2.0.15Maven

orientdb/orientdb 2.1.0

orientdb/orientdb < 2.0.14

Published Dec 31, 2015

Tracked Since Feb 18, 2026