Studio for OrientDB Server Community Edition version prior to version 2.1.1 contains several vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-2912
The Studio web interface to OrientDB contains a CSRF vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.
An unauthenticated remote attacker may perform actions with the same permissions of a victim user. An authenticated user may be able to gain administrative privileges to the database by manipulating the Session ID.
Apply an update
Disable OrientDB Studio
Thanks to Raffaela Frank for reporting this vulnerability to us.
This document was written by Garret Wassermann.