Severity
Medium
Analysis Summary
CVE-2024-51444 CVSS:6.5
Siemens Polarion is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to bypass authorization controls and download any data from the application's database.
CVE-2024-51445 CVSS:6.5
Siemens Polarion is vulnerable to an XML External Entity Injection (XXE) vulnerability in the docx import feature. A remote authenticated attacker could exploit this vulnerability to read arbitrary data from the application server.
CVE-2024-51446 CVSS:6.5
A vulnerability has been identified in Polarion , Polarion V2404. The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application.
CVE-2024-51447 CVSS:5.3
A vulnerability has been identified in Polarion , Polarion V2404. The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2024-51444
CVE-2024-51445
CVE-2024-51446
CVE-2024-51447
Affected Vendors
Affected Products
- Siemens Polarion - 2310
- Siemens Polarion - 2404
Remediation
Refer to the Siemens Security Advisory for patch, upgrade, or suggested workaround information.