SSA-162255: Multiple Vulnerabilities in Polarion Before V2410 Publication Date: 2025-05-13 Last Update: 2025-05-13 Current Version: V1.0 CVSS v3.1 Base Score: 6.5 CVSS v4.0 Base Score: 7.1 SUMMARY Polarion before V2410 contains multiple vulnerabilities that could allow attackers to extract data, conduct cross-site scripting attacks or find out valid usernames. Siemens strongly recommends to update Polarion to V2410 or later versions, not only to fix the documented vulnerabilities, but also to benefit from all the other improvements and fixes. For Polarion V2404 patch releases can be applied. AFFECTED PRODUCTS AND SOLUTION Un-/Collapse All Affected Product and Versions Remediation Polarion V2310 All versions affected by all CVEs CVE-2024-51444 CVE-2024-51445 CVE-2024-51446 CVE-2024-51447 Currently no fix is planned Polarion V2404 Show more details https://support.sw.siemens.com/product/230235217/ Polarion V2404 All versions < V2404.4 affected by multiple CVEs CVE-2024-51444 CVE-2024-51445 CVE-2024-51446 Update to V2404.4 or later version https://support.sw.siemens.com/product/230235217/ Polarion V2404 All versions < V2404.2 affected by CVE-2024-51447 Update to V2404.2 or later version https://support.sw.siemens.com/product/230235217/ WORKAROUNDS AND MITIGATIONS Product-specific remediations or mitigations can be found in the section Affected Products and Solution . Please follow the General Security Recommendations . PRODUCT DESCRIPTION Polarion ALM is an application lifecycle management solution that improves software development processes with a single, unified solution for requirements, coding, testing, and release. VULNERABILITY DESCRIPTION Un-/Collapse All This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities. Vulnerability CVE-2024-51444 The application insufficiently validates user input for database read queries. This could allow an authenticated remote attacker to conduct an SQL injection attack that bypasses authorization controls and allows to download any data from the application's database. CVSS v3.1 Base Score 6.5 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS v4.0 Base Score 7.1 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CWE CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability CVE-2024-51445 The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server. CVSS v3.1 Base Score 6.5 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS v4.0 Base Score 7.1 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CWE CWE-611: Improper Restriction of XML External Entity Reference Vulnerability CVE-2024-51446 The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application. CVSS v3.1 Base Score 6.5 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS v4.0 Base Score 5.1 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability CVE-2024-51447 The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames. CVSS v3.1 Base Score 5.3 CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS v4.0 Base Score 6.9 CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CWE CWE-204: Observable Response Discrepancy ACKNOWLEDGMENTS Siemens thanks the following parties for their efforts: Thales Digital Factory for reporting the vulnerabilities Luis Manuel Alvarez Tapia from BorgWarner Luxembourg Automotive Systems SARL for reporting the vulnerability CVE-2024-51444 ADDITIONAL INFORMATION For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2025-05-13): Publication Date TERMS OF USE The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use .