Plateforme
other
Composant
polarion
Corrigé dans
19.2.1
CVE-2019-13934 describes a Cross-Site Scripting (XSS) vulnerability within the webclient component of Siemens AG Polarion. This vulnerability allows an attacker to inject malicious scripts, potentially leading to unauthorized access or data manipulation. The vulnerability affects all versions of Polarion prior to 19.2. A fix is available in version 19.2.
Successful exploitation of CVE-2019-13934 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Polarion webclient. This could lead to the theft of sensitive information, such as user credentials or project data. An attacker could also use this vulnerability to redirect users to malicious websites or deface the Polarion interface. The impact is amplified if users have elevated privileges within Polarion, potentially enabling the attacker to modify project configurations or access restricted areas.
CVE-2019-13934 was publicly disclosed on November 27, 2019. No known public exploits or active campaigns targeting this vulnerability have been reported. The CVSS score is currently listed as LOW, indicating a relatively low probability of exploitation in the wild. It is not listed on the CISA KEV catalog.
Organizations utilizing Siemens Polarion for project lifecycle management, particularly those running versions prior to 19.2, are at risk. This includes teams relying on Polarion for requirements management, test management, and release management. Shared hosting environments or deployments with limited security controls may be particularly vulnerable.
• other / web:
curl -I 'https://<polarion_server>/<vulnerable_endpoint>?param=<malicious_script>' | grep 'Content-Security-Policy'• other / web:
curl 'https://<polarion_server>/<vulnerable_endpoint>?param=<malicious_script>' > /tmp/output.html; grep -i '<script>' /tmp/output.htmldisclosure
Statut de l'Exploit
EPSS
0.34% (percentile 57%)
Vecteur CVSS
The primary mitigation for CVE-2019-13934 is to upgrade to Polarion version 19.2 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and output encoding on the webclient to sanitize user-supplied data. Web Application Firewalls (WAFs) configured with appropriate rules can also help to block malicious XSS payloads. Regularly review Polarion configurations for any potential misconfigurations that could exacerbate the vulnerability.
Mettez à jour Siemens Polarion à la version 19.2 ou supérieure. Cette mise à jour corrige la vulnérabilité XSS réfléchie dans le webclient.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2019-13934 is a reflected XSS vulnerability in the webclient component of Siemens Polarion, allowing attackers to inject malicious scripts. It affects versions prior to 19.2.
You are affected if you are using Siemens Polarion versions prior to 19.2. Upgrade to 19.2 or later to mitigate the risk.
Upgrade to Siemens Polarion version 19.2 or later. Implement input validation and output encoding as a temporary workaround if immediate upgrade is not possible.
No active exploitation campaigns targeting CVE-2019-13934 have been publicly reported at this time.
Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/icsa-19-311-01
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.