CVE-2019-25447
Received Received - Intake
CSRF and XSS in OrientDB 3.0.17 Allow Unauthorized Actions

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: VulnCheck

Description
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25447
EUVD
EUVD-2019-19606
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orientdb orientdb 3.0.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in OrientDB 3.0.17 GA Community Edition is a cross-site request forgery (CSRF) issue. It allows attackers to perform unauthorized actions by sending malicious requests to specific endpoints such as /database/, /command/, and /document/. These actions include creating or deleting databases, modifying schema classes, managing users, and creating functions. The problem arises because authenticated requests lack proper token validation, and this is compounded by reflected and stored cross-site scripting (XSS) vulnerabilities in the web interface.

Impact Analysis

The impact of this vulnerability includes unauthorized modification and management of the database system. Attackers can create or delete databases, alter schema classes, manage user accounts, and create functions without proper authorization. This can lead to data integrity issues, unauthorized access, potential data loss, and disruption of database services.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart