ID

VAR-202203-0961


CVE

CVE-2021-44478


TITLE

Siemens'  polarion alm  and  Polarion Subversion Webclient  Cross-site scripting vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-018684

DESCRIPTION

A vulnerability has been identified in Polarion ALM (All versions < V21 R2 P2), Polarion WebClient for SVN (All versions). A cross-site scripting is present due to improper neutralization of data sent to the web page through the SVN WebClient in the affected product. An attacker could exploit this to execute arbitrary code and extract sensitive information by sending a specially crafted link to users with administrator privileges. Siemens' polarion alm and Polarion Subversion Webclient Exists in a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Polarion WebClient for SVN is an SVN client

Trust: 2.16

sources: NVD: CVE-2021-44478 // JVNDB: JVNDB-2021-018684 // CNVD: CNVD-2022-17778

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-17778

AFFECTED PRODUCTS

vendor:siemensmodel:polarion almscope:ltversion:21.0

Trust: 1.0

vendor:siemensmodel:polarion almscope:eqversion:21.0

Trust: 1.0

vendor:siemensmodel:polarion subversion webclientscope:eqversion:*

Trust: 1.0

vendor:シーメンスmodel:polarion almscope: - version: -

Trust: 0.8

vendor:シーメンスmodel:polarion subversion webclientscope: - version: -

Trust: 0.8

vendor:siemensmodel:polarion subversion webclient r1scope:eqversion:v21

Trust: 0.6

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // NVD: CVE-2021-44478

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-44478
value: MEDIUM

Trust: 1.0

NVD: CVE-2021-44478
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2022-17778
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202203-755
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2021-44478
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-17778
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2021-44478
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 2.7
version: 3.1

Trust: 1.0

NVD: CVE-2021-44478
baseSeverity: MEDIUM
baseScore: 6.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // CNNVD: CNNVD-202203-755 // NVD: CVE-2021-44478

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.0

problemtype:Cross-site scripting (CWE-79) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2021-018684 // NVD: CVE-2021-44478

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202203-755

TYPE

XSS

Trust: 0.6

sources: CNNVD: CNNVD-202203-755

PATCH

title:Patch for Siemens Polarion ALM Cross-Site Scripting Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/324186

Trust: 0.6

title:Polarion Subversion Webclient Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=185246

Trust: 0.6

sources: CNVD: CNVD-2022-17778 // CNNVD: CNNVD-202203-755

EXTERNAL IDS

db:NVDid:CVE-2021-44478

Trust: 3.8

db:SIEMENSid:SSA-562051

Trust: 3.0

db:ICS CERTid:ICSA-22-069-08

Trust: 1.4

db:JVNid:JVNVU91709091

Trust: 0.8

db:JVNDBid:JVNDB-2021-018684

Trust: 0.8

db:CNVDid:CNVD-2022-17778

Trust: 0.6

db:AUSCERTid:ESB-2022.1042

Trust: 0.6

db:CS-HELPid:SB2022031101

Trust: 0.6

db:CNNVDid:CNNVD-202203-755

Trust: 0.6

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // CNNVD: CNNVD-202203-755 // NVD: CVE-2021-44478

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-562051.pdf

Trust: 3.0

url:https://jvn.jp/vu/jvnvu91709091/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2021-44478

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-069-08

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2022.1042

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022031101

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2021-44478/

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-069-08

Trust: 0.6

sources: CNVD: CNVD-2022-17778 // JVNDB: JVNDB-2021-018684 // CNNVD: CNNVD-202203-755 // NVD: CVE-2021-44478

CREDITS

Nicolas Briand of Thales Digital Factory reported this vulnerability to Siemens.

Trust: 0.6

sources: CNNVD: CNNVD-202203-755

SOURCES

db:CNVDid:CNVD-2022-17778
db:JVNDBid:JVNDB-2021-018684
db:CNNVDid:CNNVD-202203-755
db:NVDid:CVE-2021-44478

LAST UPDATE DATE

2024-08-14T12:54:53.922000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-17778date:2022-06-13T00:00:00
db:JVNDBid:JVNDB-2021-018684date:2023-07-05T08:11:00
db:CNNVDid:CNNVD-202203-755date:2022-04-13T00:00:00
db:NVDid:CVE-2021-44478date:2022-07-28T18:12:36.160

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-17778date:2022-03-09T00:00:00
db:JVNDBid:JVNDB-2021-018684date:2023-07-05T00:00:00
db:CNNVDid:CNNVD-202203-755date:2022-03-08T00:00:00
db:NVDid:CVE-2021-44478date:2022-03-08T12:15:11.337