CVE-2019-25448

Name of the Vulnerable Software and Affected Versions OrientDB version 3.0.17

Description OrientDB 3.0.17 has a stored cross-site scripting issue. Authenticated attackers can inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the /document API endpoint with JavaScript code in the name field, leading to arbitrary script execution when users view the application.

Recommendations Avoid creating users with script payloads in the name parameter. Restrict or sanitize input to the name parameter when creating users. As a temporary workaround, consider disabling user creation functionality until a fix is available.