CVE-2015-2912 — OrientDB-Server vulnerable to Cross-Site Request Forgery

Description

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.

How to fix CVE-2015-2912

To remediate CVE-2015-2912, upgrade the affected package to a fixed version below.

—upgrade to 2.0.15 or later

Is CVE-2015-2912 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-p8ww-vv84-c2rm
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-2912
PATCHgithub.com/orientechnologies/orientdb
WEBgithub.com/orientechnologies/orientdb/issues/4824
WEB