Onjuiste Neutralisatie van Invoer tijdens Webpagina Generatie ('Cross-site Scripting') kwetsbaarheid in de webclient van Siemens AG Polarion kan een aanvaller in staat stellen een gereflecteerde XSS kwetsbaarheid te exploiteren.

Successful exploitation of CVE-2019-13935 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Polarion webclient. This could lead to the theft of sensitive information, such as user credentials or project data. An attacker could also leverage this vulnerability to redirect users to malicious websites or deface the Polarion interface. The potential impact is amplified if the Polarion instance is used to manage critical project data or sensitive intellectual property.

Organizations utilizing Siemens Polarion for project management and collaboration are at risk, particularly those running versions prior to 19.2. This includes teams managing sensitive project data, intellectual property, or regulatory compliance documentation. Shared hosting environments where multiple Polarion instances reside on the same infrastructure could also amplify the risk.

1. 2019-11-27Disclosure

   disclosure

1. Gereserveerd2019-07-18
2. Gepubliceerd2019-11-27
3. Gewijzigd2024-09-17
4. EPSS bijgewerkt2026-04-02

The primary mitigation for CVE-2019-13935 is to upgrade to Polarion version 19.2 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and output encoding measures on the webclient to sanitize user-supplied data. While not a complete solution, these measures can reduce the attack surface. Thoroughly review and update any custom scripts or plugins within the Polarion environment to ensure they do not introduce further XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple XSS payload into a web form and verifying that the script is not executed.