CVE-2019-25447
Received Received - Intake

CSRF and XSS in OrientDB 3.0.17 Allow Unauthorized Actions

Vulnerability report for CVE-2019-25447, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: VulnCheck

Description

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-07-06
AI Q&A
2026-02-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
orientdb orientdb 3.0.17

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in OrientDB 3.0.17 GA Community Edition is a cross-site request forgery (CSRF) issue. It allows attackers to perform unauthorized actions by sending malicious requests to specific endpoints such as /database/, /command/, and /document/. These actions include creating or deleting databases, modifying schema classes, managing users, and creating functions. The problem arises because authenticated requests lack proper token validation, and this is compounded by reflected and stored cross-site scripting (XSS) vulnerabilities in the web interface.

Impact Analysis

The impact of this vulnerability includes unauthorized modification and management of the database system. Attackers can create or delete databases, alter schema classes, manage user accounts, and create functions without proper authorization. This can lead to data integrity issues, unauthorized access, potential data loss, and disruption of database services.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart