Lucene search

[email protected]NVD:CVE-2015-2912

HistoryDec 31, 2015 - 5:59 a.m.

CVE-2015-2912

2015-12-3105:59:08

CWE-352

[email protected]

web.nvd.nist.gov

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.005

Percentile

76.3%

JSON

The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request.

Affected configurations

Nvd

Node

orientdborientdbRange≤2.0.14community

orientdborientdbMatch2.1.0community

VendorProductVersionCPE
orientdborientdb*cpe:2.3:a:orientdb:orientdb:*:*:*:*:community:*:*:*
orientdborientdb2.1.0cpe:2.3:a:orientdb:orientdb:2.1.0:*:*:*:community:*:*:*