Vulnerability Note VU#845332
OrientDB and Studio prior to version 2.1.1 contain multiple vulnerabilities
Studio for OrientDB Server Community Edition version prior to version 2.1.1 contains several vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-2912
The Studio web interface to OrientDB contains a CSRF vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.
An unauthenticated remote attacker may perform actions with the same permissions of a victim user. An authenticated user may be able to gain administrative privileges to the database by manipulating the Session ID.
Apply an update
Disable OrientDB Studio
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Orient Technologies||Affected||10 Jun 2015||18 Aug 2015|
CVSS Metrics (Learn More)
Thanks to Raffaela Frank for reporting this vulnerability to us.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-2912 CVE-2015-2913 CVE-2015-2918
- Date Public: 31 Aug 2015
- Date First Published: 03 Sep 2015
- Date Last Updated: 03 Sep 2015
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.