Siemens Polarion Subversion Webclient (ICSA-20-252-08) – Product Used in the Energy Sector

CISA has published an advisory on improper neutralization of script-related HTML tags in a web page (basic XSS) and cross-site request forgery (CRSF) vulnerabilities in Siemens Polarion Subversion Webclient. All versions of this product are affected. Successful exploitation of these vulnerabilities where an attacker injects client-side script to induce the victim to issue an HTTP request could lead to a state-changing operation. Siemens has stated that the tool is considered shareware, distributed “as is,” and will be no fix as it is no longer supported. Still, it has identified a specific workaround and mitigation users can apply to reduce the risk. CISA also recommends a series of measures to mitigate the vulnerabilities. Read the advisory at CISA.