CVE-2019-25448 in OrientDB
Summary
by MITRE • 02/21/2026
OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
OrientDB version 3.0.17 contains a critical stored cross-site scripting vulnerability that represents a significant security risk for authenticated users. This vulnerability exists within the user management functionality where the system fails to properly sanitize user input when creating new user accounts. The flaw allows attackers who have already gained authentication access to the system to inject malicious scripts by embedding JavaScript code directly into the name parameter during user creation. The vulnerability specifically affects the document endpoint which processes user data submissions, making it a prime target for persistent XSS attacks that can compromise user sessions and data integrity.
The technical implementation of this vulnerability stems from insufficient input validation and output sanitization within the OrientDB application layer. When an authenticated attacker creates a new user account with malicious JavaScript code embedded in the name field, the system stores this payload without proper encoding or filtering. This stored data is then rendered in the user interface without appropriate security measures, creating an environment where the injected scripts execute in the context of other users who view the affected user information. The vulnerability operates through the standard HTTP POST request mechanism, making it relatively easy to exploit using common web application attack vectors. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws in software applications.
The operational impact of this vulnerability extends beyond simple script execution as it creates a persistent threat that can compromise multiple users within the system. Once an attacker successfully injects malicious code, the script will execute whenever any user views the affected user profile or related information displays. This persistent nature makes the vulnerability particularly dangerous as it can be used to steal session cookies, redirect users to malicious sites, perform unauthorized actions on behalf of victims, or even escalate privileges within the application. The attack requires only authenticated access to the system, which significantly reduces the barrier to exploitation compared to other vulnerabilities requiring additional reconnaissance or privilege escalation. This vulnerability directly maps to attack techniques described in the attack pattern taxonomy under the ATT&CK framework for web application exploitation.
Mitigation strategies for this vulnerability should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application. Organizations should immediately implement proper sanitization of all user input fields, particularly those that are rendered in web interfaces without additional security measures. The system should enforce strict validation rules that reject or escape potentially dangerous characters and script tags during user creation processes. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution even if the underlying vulnerability persists. Regular security updates and patches should be applied immediately upon availability, as this vulnerability affects a specific version of OrientDB that likely has a fix available. Organizations should also consider implementing web application firewalls and monitoring for suspicious user creation patterns that might indicate exploitation attempts. The vulnerability highlights the critical importance of input validation in all user-facing application components and demonstrates how seemingly minor flaws in data handling can create significant security risks for entire user populations within database applications.