LOWCVE-2019-13934CVSS 3.5

CVE-2019-13934: XSS in Siemens Polarion

Q: What is CVE-2019-13934 — Cross-Site Scripting in Siemens Polarion?

CVE-2019-13934 is a reflected XSS vulnerability in the webclient component of Siemens Polarion, allowing attackers to inject malicious scripts. It affects versions prior to 19.2.

Q: Am I affected by CVE-2019-13934 in Siemens Polarion?

You are affected if you are using Siemens Polarion versions prior to 19.2. Upgrade to 19.2 or later to mitigate the risk.

Q: How do I fix CVE-2019-13934 in Siemens Polarion?

Upgrade to Siemens Polarion version 19.2 or later. Implement input validation and output encoding as a temporary workaround if immediate upgrade is not possible.

Q: Is CVE-2019-13934 being actively exploited?

No active exploitation campaigns targeting CVE-2019-13934 have been publicly reported at this time.

Q: Where can I find the official Siemens advisory for CVE-2019-13934?

Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/icsa-19-311-01

Platform

other

Component

polarion

Fixed in

19.2.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2019-13934 describes a Cross-Site Scripting (XSS) vulnerability within the webclient component of Siemens AG Polarion. This vulnerability allows an attacker to inject malicious scripts, potentially leading to unauthorized access or data manipulation. The vulnerability affects all versions of Polarion prior to 19.2. A fix is available in version 19.2.

Impact and Attack Scenarios

Successful exploitation of CVE-2019-13934 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Polarion webclient. This could lead to the theft of sensitive information, such as user credentials or project data. An attacker could also use this vulnerability to redirect users to malicious websites or deface the Polarion interface. The impact is amplified if users have elevated privileges within Polarion, potentially enabling the attacker to modify project configurations or access restricted areas.

Exploitation Context

CVE-2019-13934 was publicly disclosed on November 27, 2019. No known public exploits or active campaigns targeting this vulnerability have been reported. The CVSS score is currently listed as LOW, indicating a relatively low probability of exploitation in the wild. It is not listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.34% (57% percentile)

CVSS Vector

Affected Software

Componentpolarion

VendorSiemens AG

Affected rangeFixed in

All versions < 19.2 – All versions < 19.219.2.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2019-07-18
Published2019-11-27
Modified2024-09-17
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2019-13934 is to upgrade to Polarion version 19.2 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and output encoding on the webclient to sanitize user-supplied data. Web Application Firewalls (WAFs) configured with appropriate rules can also help to block malicious XSS payloads. Regularly review Polarion configurations for any potential misconfigurations that could exacerbate the vulnerability.

How to fix

Update Siemens Polarion to version 19.2 or higher. This update fixes the reflected XSS vulnerability in the webclient.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-13934 — Cross-Site Scripting in Siemens Polarion?

CVE-2019-13934 is a reflected XSS vulnerability in the webclient component of Siemens Polarion, allowing attackers to inject malicious scripts. It affects versions prior to 19.2.

Am I affected by CVE-2019-13934 in Siemens Polarion?

You are affected if you are using Siemens Polarion versions prior to 19.2. Upgrade to 19.2 or later to mitigate the risk.

How do I fix CVE-2019-13934 in Siemens Polarion?

Upgrade to Siemens Polarion version 19.2 or later. Implement input validation and output encoding as a temporary workaround if immediate upgrade is not possible.

Is CVE-2019-13934 being actively exploited?

No active exploitation campaigns targeting CVE-2019-13934 have been publicly reported at this time.

Where can I find the official Siemens advisory for CVE-2019-13934?

Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/icsa-19-311-01

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs