Analysis Summary

CVE-2024-51444 CVSS:6.5

Siemens Polarion is vulnerable to SQL injection. A remote authenticated attacker could send specially crafted SQL statements, which could allow the attacker to bypass authorization controls and download any data from the application's database.

CVE-2024-51445 CVSS:6.5

Siemens Polarion is vulnerable to an XML External Entity Injection (XXE) vulnerability in the docx import feature. A remote authenticated attacker could exploit this vulnerability to read arbitrary data from the application server.

CVE-2024-51446 CVSS:6.5

A vulnerability has been identified in Polarion , Polarion V2404. The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application.

CVE-2024-51447 CVSS:5.3

A vulnerability has been identified in Polarion , Polarion V2404. The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames.

Impact

• Gain Access

Indicators of Compromise

CVE

• CVE-2024-51444

• CVE-2024-51445

• CVE-2024-51446

• CVE-2024-51447

Affected Vendors

Affected Products

• Siemens Polarion - 2310
• Siemens Polarion - 2404

Remediation

Refer to the Siemens Security Advisory for patch, upgrade, or suggested workaround information.

Siemens Security Advisory