Platform
other
Component
polarion
Opgelost in
19.2.1
CVE-2019-13936 describes a Cross-Site Scripting (XSS) vulnerability within the webclient component of Siemens AG Polarion. This vulnerability allows an attacker to inject malicious scripts, potentially leading to unauthorized access and data compromise. The issue impacts all versions of Polarion prior to 19.2, and a patch is available in version 19.2.
Successful exploitation of CVE-2019-13936 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Polarion webclient. This can lead to a variety of malicious actions, including stealing sensitive user data (credentials, project information), hijacking user sessions, and defacing the web application. The attack surface is broad, as any user interacting with the vulnerable webclient is potentially at risk. The persistent nature of the XSS means the vulnerability can persist even after the initial attack vector is removed, potentially affecting multiple users over time.
CVE-2019-13936 was publicly disclosed on November 27, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been widely released, but the nature of XSS vulnerabilities makes it likely that such code could be developed and shared. The CVSS score of 3.5 (LOW) suggests a relatively low probability of exploitation in the absence of a readily available PoC.
Organizations utilizing Siemens Polarion for project lifecycle management, particularly those running versions prior to 19.2, are at risk. This includes teams relying on Polarion for requirements management, test management, and agile project tracking. Environments with shared user accounts or limited access controls may be more vulnerable.
disclosure
Exploit Status
EPSS
0.34% (57% percentiel)
CVSS-vector
The primary mitigation for CVE-2019-13936 is to upgrade to Polarion version 19.2 or later, which contains the fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the webclient to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update Polarion's security configuration to minimize the attack surface.
Werk Siemens AG Polarion bij naar versie 19.2 of hoger. Deze update corrigeert een persistente Cross-Site Scripting (XSS) kwetsbaarheid die door een aanvaller geëxploiteerd zou kunnen worden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2019-13936 is a Cross-Site Scripting (XSS) vulnerability in the webclient of Siemens Polarion, allowing attackers to inject malicious scripts.
Yes, if you are using Siemens Polarion versions equal to or less than 19.2, you are affected by this XSS vulnerability.
Upgrade to Siemens Polarion version 19.2 or later to remediate the vulnerability. Consider input validation and WAF rules as interim measures.
There is no confirmed evidence of active exploitation campaigns targeting CVE-2019-13936 at this time.
Refer to the Siemens Security Notice: https://us-cert.cisa.gov/ics/advisories/SN-19-312
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.