Siemens Polarion Alm vulnerabilities
10 known vulnerabilities affecting siemens/polarion_alm.
Total CVEs
10
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM7
Vulnerabilities
Page 1 of 1
CVE-2024-23813P2CRITICALCVSS 9.8fixed in 2404.0fixed in V2404.02024-02-13
CVE-2024-23813 [CRITICAL] CWE-287 CVE-2024-23813: A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The REST API endpoints
A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The REST API endpoints of doorsconnector of the affected product lacks proper authentication. An unauthenticated attacker could access the endpoints, and potentially execute code.
nvd
CVE-2023-28828P3HIGHCVSS 7.5fixed in 2304.0vAll versions < V22R22023-04-11
CVE-2023-28828 [HIGH] CWE-611 CVE-2023-28828: A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains
A vulnerability has been identified in Polarion ALM (All versions < V22R2). The application contains a XML External Entity Injection (XXE) vulnerability. This could allow an attacker to view files on the application server filesystem.
nvd
CVE-2024-51444P3MEDIUMCVSS 6.5≥ 2404.0, < 2404.4v2310.02025-05-13
CVE-2024-51444 [MEDIUM] CWE-89 CVE-2024-51444: A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions <
A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The application insufficiently validates user input for database read queries. This could allow an authenticated remote attacker to conduct an SQL injection attack that bypasses authorization controls and allows to download any data from the
nvd
CVE-2023-50236P3HIGHCVSS 7.8fixed in 2404.0fixed in V2404.02024-02-13
CVE-2023-50236 [HIGH] CWE-276 CVE-2023-50236: A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The affected product i
A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The affected product is vulnerable due to weak file and folder permissions in the installation path. An attacker with local access could exploit this vulnerability to escalate privileges to NT AUTHORITY\SYSTEM.
nvd
CVE-2024-51445P3MEDIUMCVSS 6.5≥ 2404.0, < 2404.4v2310.02025-05-13
CVE-2024-51445 [MEDIUM] CWE-611 CVE-2024-51445: A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions <
A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server.
nvd
CVE-2024-33647P3MEDIUMCVSS 6.5fixed in V2404.02024-05-14
CVE-2024-33647 [MEDIUM] CWE-284 CVE-2024-33647: A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The Apache Lucene base
A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The Apache Lucene based query engine in the affected application lacks proper access controls. This could allow an authenticated user to query items beyond the user's allowed projects.
nvd
CVE-2024-51447P4MEDIUMCVSS 5.3≥ 2404, < 2410v23102025-05-13
CVE-2024-51447 [MEDIUM] CWE-204 CVE-2024-51447: A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions <
A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames
nvd
CVE-2024-51446P4MEDIUMCVSS 5.4≥ 2404.0, < 2404.4v2310.02025-05-13
CVE-2024-51446 [MEDIUM] CWE-79 CVE-2024-51446: A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions <
A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later dow
nvd
CVE-2021-44478P4MEDIUMCVSS 6.1fixed in 21.0v21.0+1 more2022-03-08
CVE-2021-44478 [MEDIUM] CWE-79 CVE-2021-44478: A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient f
A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions). A cross-site scripting is present due to improper neutralization of data sent to the web page through the SVN WebClient in the affected product. An attacker could exploit this to execute arbitrary code and extract sensitive infor
nvd
CVE-2022-46265P4MEDIUMCVSS 6.1fixed in 2304.0vAll versions < V2304.02022-12-13
CVE-2022-46265 [MEDIUM] CWE-74 CVE-2022-46265: A vulnerability has been identified in Polarion ALM (All versions < V2304.0). The affected applicati
A vulnerability has been identified in Polarion ALM (All versions < V2304.0). The affected application contains a Host header injection vulnerability that could allow an attacker to spoof a Host header information and redirect users to malicious websites.
nvd