CVE-2015-2918: OrientDB Studio web management interface is vulnerable to clickjacking attacks
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62192%
CWE
Published
10/18/2018
Updated
9/29/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.orientechnologies:orientdb-studio | maven | < 2.0.15 | 2.0.15 |
com.orientechnologies:orientdb-studio | maven | = 2.1.0 | 2.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing X-Frame-Options headers. The HTTP response handler (OHttpResponse.sendResponseHeaders) would be the logical location for this security control. The mitigation requires adding this header, confirming the vulnerable versions lacked it in this core response handling function. While no direct patch code is shown, the CERT workaround and standard Java web response handling patterns strongly indicate this as the vulnerable function.