Details of VAR-202203-0961

ID

VAR-202203-0961

CVE

CVE-2021-44478

TITLE

Siemens' polarion alm and Polarion Subversion Webclient Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-018684

DESCRIPTION

A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions). A cross-site scripting is present due to improper neutralization of data sent to the web page through the SVN WebClient in the affected product. An attacker could exploit this to execute arbitrary code and extract sensitive information by sending a specially crafted link to users with administrator privileges. Siemens' polarion alm and Polarion Subversion Webclient Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Polarion WebClient for SVN is an SVN client

Trust: 2.16

sources: NVD: CVE-2021-44478 // JVNDB: JVNDB-2021-018684 // CNVD: CNVD-2022-17778

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2022-17778

AFFECTED PRODUCTS

vendor:	siemens	model:	polarion alm	scope:	lt	version:	21.0	Trust: 1.0
vendor:	siemens	model:	polarion alm	scope:	eq	version:	21.0	Trust: 1.0
vendor:	siemens	model:	polarion subversion webclient	scope:	eq	version:	*	Trust: 1.0
vendor:	シーメンス	model:	polarion alm	scope:	-	version:	-	Trust: 0.8
vendor:	シーメンス	model:	polarion subversion webclient	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	polarion subversion webclient r1	scope:	eq	version:	v21	Trust: 0.6

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // NVD: CVE-2021-44478

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-44478
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2021-44478
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2022-17778
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-202203-755
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2021-44478
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2022-17778
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-44478
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
NVD:	CVE-2021-44478
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // CNNVD: CNNVD-202203-755 // NVD: CVE-2021-44478

PROBLEMTYPE DATA

problemtype:	CWE-79	Trust: 1.0
problemtype:	Cross-site scripting (CWE-79) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-018684 // NVD: CVE-2021-44478

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-755

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202203-755

PATCH

title:	Patch for Siemens Polarion ALM Cross-Site Scripting Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/324186	Trust: 0.6
title:	Polarion Subversion Webclient Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=185246	Trust: 0.6

sources: CNVD: CNVD-2022-17778 // CNNVD: CNNVD-202203-755

EXTERNAL IDS

db:	NVD	id:	CVE-2021-44478	Trust: 3.8
db:	SIEMENS	id:	SSA-562051	Trust: 3.0
db:	ICS CERT	id:	ICSA-22-069-08	Trust: 1.4
db:	JVN	id:	JVNVU91709091	Trust: 0.8
db:	JVNDB	id:	JVNDB-2021-018684	Trust: 0.8
db:	CNVD	id:	CNVD-2022-17778	Trust: 0.6
db:	AUSCERT	id:	ESB-2022.1042	Trust: 0.6
db:	CS-HELP	id:	SB2022031101	Trust: 0.6
db:	CNNVD	id:	CNNVD-202203-755	Trust: 0.6

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // CNNVD: CNNVD-202203-755 // NVD: CVE-2021-44478

REFERENCES

url:	https://cert-portal.siemens.com/productcert/pdf/ssa-562051.pdf	Trust: 3.0
url:	https://jvn.jp/vu/jvnvu91709091/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2021-44478	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-08	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2022.1042	Trust: 0.6
url:	https://www.cybersecurity-help.cz/vdb/sb2022031101	Trust: 0.6
url:	https://cxsecurity.com/cveshow/cve-2021-44478/	Trust: 0.6
url:	https://us-cert.cisa.gov/ics/advisories/icsa-22-069-08	Trust: 0.6

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // CNNVD: CNNVD-202203-755 // NVD: CVE-2021-44478

CREDITS

Nicolas Briand of Thales Digital Factory reported this vulnerability to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202203-755

SOURCES

db:	CNVD	id:	CNVD-2022-17778
db:	JVNDB	id:	JVNDB-2021-018684
db:	CNNVD	id:	CNNVD-202203-755
db:	NVD	id:	CVE-2021-44478

LAST UPDATE DATE

2024-08-14T12:54:53.922000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2022-17778	date:	2022-06-13T00:00:00
db:	JVNDB	id:	JVNDB-2021-018684	date:	2023-07-05T08:11:00
db:	CNNVD	id:	CNNVD-202203-755	date:	2022-04-13T00:00:00
db:	NVD	id:	CVE-2021-44478	date:	2022-07-28T18:12:36.160

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2022-17778	date:	2022-03-09T00:00:00
db:	JVNDB	id:	JVNDB-2021-018684	date:	2023-07-05T00:00:00
db:	CNNVD	id:	CNNVD-202203-755	date:	2022-03-08T00:00:00
db:	NVD	id:	CVE-2021-44478	date:	2022-03-08T12:15:11.337