CVE-2015-2912 Information

Description

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and obtain sensitive information via a crafted HTTP request.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://github.com/orientechnologies/orientdb/issues/4824 https://www.kb.cert.org/vuls/id/845332

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8