Stored XSS via User Name in OrientDB 3.0.17
CVE-2019-25448 Published on February 20, 2026

OrientDB 3.0.17 Stored Cross-Site Scripting via User Creation
OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application.

NVD

Vulnerability Analysis

CVE-2019-25448 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2019-25448. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2019-25448 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2019-25448

Want to know whenever a new CVE is published for Orientdb? stack.watch will email you.

Orientdb
 

Affected Versions

OrientDB Version 3.0.17 is affected by CVE-2019-25448

Exploit Probability

EPSS
0.05%
Percentile
14.63%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.