CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51447
https://notcve.org/view.php?id=CVE-2024-51447
13 May 2025 — A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.2). The login implementation of the affected application contains an observable response discrepancy vulnerability when validating usernames. This could allow an unauthenticated remote attacker to distinguish between valid and invalid usernames. • https://cert-portal.siemens.com/productcert/html/ssa-162255.html • CWE-204: Observable Response Discrepancy •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51446
https://notcve.org/view.php?id=CVE-2024-51446
13 May 2025 — A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The file upload feature of the affected application improperly sanitizes xml files. This could allow an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application. • https://cert-portal.siemens.com/productcert/html/ssa-162255.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51445
https://notcve.org/view.php?id=CVE-2024-51445
13 May 2025 — A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The affected application contains a XML External Entity Injection (XXE) vulnerability in the docx import feature. This could allow an authenticated remote attacker to read arbitrary data from the application server. • https://cert-portal.siemens.com/productcert/html/ssa-162255.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51444
https://notcve.org/view.php?id=CVE-2024-51444
13 May 2025 — A vulnerability has been identified in Polarion V2310 (All versions), Polarion V2404 (All versions < V2404.4). The application insufficiently validates user input for database read queries. This could allow an authenticated remote attacker to conduct an SQL injection attack that bypasses authorization controls and allows to download any data from the application's database. • https://cert-portal.siemens.com/productcert/html/ssa-162255.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •