CVE-2019-25447 — MEDIUM (4.3)

Vulnerability Description

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Orientdb	Orientdb	3.0.17

Related Weaknesses (CWE)

CWE-352

References

https://orientdb.dev/Product
https://www.exploit-db.com/exploits/46517ExploitVDB Entry
https://www.vulncheck.com/advisories/orientdb-cross-site-request-forgeryThird Party Advisory

FAQ

What is CVE-2019-25447?

CVE-2019-25447 is a vulnerability with a CVSS score of 4.3 (MEDIUM). OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database...

How severe is CVE-2019-25447?

CVE-2019-25447 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25447?

Check the references section above for vendor advisories and patch information. Affected products include: Orientdb Orientdb.