LOWCVE-2019-13935CVSS 3.5

CVE-2019-13935: XSS in Siemens Polarion

Q: What is CVE-2019-13935 — Cross-Site Scripting in Siemens Polarion?

CVE-2019-13935 is a reflected XSS vulnerability in the webclient component of Siemens Polarion, allowing attackers to inject malicious scripts. It affects versions prior to 19.2.

Q: Am I affected by CVE-2019-13935 in Siemens Polarion?

Yes, if you are using Siemens Polarion versions earlier than 19.2, you are potentially vulnerable to this XSS attack.

Q: How do I fix CVE-2019-13935 in Siemens Polarion?

Upgrade to Siemens Polarion version 19.2 or later to resolve the vulnerability. Consider input validation as a temporary mitigation.

Q: Is CVE-2019-13935 being actively exploited?

Currently, there are no reports of active exploitation campaigns targeting CVE-2019-13935.

Q: Where can I find the official Siemens advisory for CVE-2019-13935?

Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/icsa-19-313-01

Platform

other

Component

polarion

Fixed in

19.2.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2019-13935 describes a Cross-Site Scripting (XSS) vulnerability within the webclient component of Siemens AG Polarion. This vulnerability allows an attacker to inject malicious scripts, potentially leading to unauthorized access or data manipulation. The vulnerability affects all versions of Polarion prior to 19.2. A fix is available in version 19.2.

Impact and Attack Scenarios

Successful exploitation of CVE-2019-13935 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Polarion webclient. This could lead to the theft of sensitive information, such as user credentials or project data. An attacker could also leverage this vulnerability to redirect users to malicious websites or deface the Polarion interface. The potential impact is amplified if the Polarion instance is used to manage critical project data or sensitive intellectual property.

Exploitation Context

CVE-2019-13935 was publicly disclosed on November 27, 2019. No known active exploitation campaigns have been reported. There are no publicly available proof-of-concept exploits. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation under normal circumstances.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.34% (57% percentile)

CVSS Vector

Affected Software

Componentpolarion

VendorSiemens AG

Affected rangeFixed in

All versions < 19.2 – All versions < 19.219.2.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2019-07-18
Published2019-11-27
Modified2024-09-17
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2019-13935 is to upgrade to Polarion version 19.2 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and output encoding measures on the webclient to sanitize user-supplied data. While not a complete solution, these measures can reduce the attack surface. Thoroughly review and update any custom scripts or plugins within the Polarion environment to ensure they do not introduce further XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a web form and verifying that the script is not executed.

How to fix

Update Siemens Polarion to version 19.2 or higher. This will correct the reflected XSS vulnerability in the webclient.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2019-13935 — Cross-Site Scripting in Siemens Polarion?

CVE-2019-13935 is a reflected XSS vulnerability in the webclient component of Siemens Polarion, allowing attackers to inject malicious scripts. It affects versions prior to 19.2.

Am I affected by CVE-2019-13935 in Siemens Polarion?

Yes, if you are using Siemens Polarion versions earlier than 19.2, you are potentially vulnerable to this XSS attack.

How do I fix CVE-2019-13935 in Siemens Polarion?

Upgrade to Siemens Polarion version 19.2 or later to resolve the vulnerability. Consider input validation as a temporary mitigation.

Is CVE-2019-13935 being actively exploited?

Currently, there are no reports of active exploitation campaigns targeting CVE-2019-13935.

Where can I find the official Siemens advisory for CVE-2019-13935?

Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/icsa-19-313-01

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs