CVE-2015-2912
published 2015-12-31CVE-2015-2912: The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback…
PriorityP337high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
1.32%
67.3th percentile
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orientdb | orientdb | <= 2.0.14 | — |
| orientdb | orientdb | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OrientDB-Server vulnerable to Cross-Site Request Forgery
osv·2018-10-18
CVE-2015-2912 [HIGH] OrientDB-Server vulnerable to Cross-Site Request Forgery
OrientDB-Server vulnerable to Cross-Site Request Forgery
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
GHSA
OrientDB-Server vulnerable to Cross-Site Request Forgery
ghsa·2018-10-18
CVE-2015-2912 [HIGH] CWE-352 OrientDB-Server vulnerable to Cross-Site Request Forgery
OrientDB-Server vulnerable to Cross-Site Request Forgery
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2015-12-31
Published