PatchSiren cyber security CVE debrief
CVE-2024-51446 Siemens CVE debrief
CVE-2024-51446 is a stored cross-site scripting issue in Siemens Polarion. According to the advisory published on 2025-05-13, the application’s XML file upload handling does not properly sanitize uploaded files, allowing an authenticated remote attacker to plant malicious content that can later execute when other users download and view the file. Siemens identifies Polarion V2310 and V2404 as affected, with a vendor fix available for V2404 and no fix planned for V2310.
- Vendor
- Siemens
- Product
- Polarion V2310
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-13
- Original CVE updated
- 2025-05-13
- Advisory published
- 2025-05-13
- Advisory updated
- 2025-05-13
Who should care
Administrators and security teams responsible for Siemens Polarion deployments, especially environments where users can upload and later open XML files. Any organization using Polarion V2310 or V2404 should review exposure and upgrade plans, because the issue can impact user sessions through stored XSS when uploaded files are viewed by others.
Technical summary
The advisory describes a web application input-validation flaw in the XML upload path. An authenticated attacker with network access and user interaction conditions can upload a crafted XML file that is not sanitized correctly. When another user later downloads or views that file, the embedded script can execute in the victim’s browser, producing a stored XSS condition. The advisory assigns CVSS v3.1 6.5 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
Defensive priority
Medium. This is not a zero-day or KEV-listed item in the supplied corpus, but it is a browser-executed stored XSS issue in a Siemens product used in operational environments. Prioritize remediation if users exchange or review uploaded XML content, and especially where Polarion is exposed to multiple trust levels.
Recommended defensive actions
- For Polarion V2404, update to V2404.4 or later as Siemens recommends.
- For Polarion V2310, note that Siemens currently lists no fix planned; reduce exposure by restricting XML upload capability and limiting who can upload or view files.
- Review user roles and permissions so only trusted users can upload files, and minimize broad access to downloaded or viewed XML content.
- Treat uploaded XML as untrusted content and apply compensating controls such as content filtering, access control review, and browser-side hardening where feasible.
- Check Polarion deployments for workflows that allow users to open or preview uploaded XML files, since the issue depends on later viewing by other users.
- Monitor Siemens and CISA advisories for any change in remediation status for Polarion V2310.
Evidence notes
The supplied CSAF advisory (ICSA-25-135-11) states: “The file upload feature of the affected application improperly sanitizes xml files,” and that this could allow “an authenticated remote attacker to conduct a stored cross-site scripting attack by uploading specially crafted xml files that are later downloaded and viewed by other users of the application.” The same advisory lists Siemens Polarion V2310 and V2404 as affected, gives CVSS v3.1 6.5/Medium, and specifies remediation of “Update to V2404.4 or later version” for V2404 while also stating “Currently no fix is planned” for V2310. The advisory publication date in the supplied corpus is 2025-05-13.
Official resources
-
CVE-2024-51446 CVE record
CVE.org
-
CVE-2024-51446 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory for CVE-2024-51446 on 2025-05-13 as ICSA-25-135-11.