CVE-2024-47107 Overview
IBM QRadar SIEM 7.5 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated users to inject and persist malicious JavaScript code within the Web UI. This vulnerability enables attackers to alter the intended functionality of the application, potentially leading to credentials disclosure within trusted user sessions. The stored nature of this XSS makes it particularly dangerous as the malicious payload persists in the application and executes whenever users access the affected content.
Critical Impact
Authenticated attackers can embed arbitrary JavaScript code in the QRadar Web UI, potentially capturing credentials and session tokens from other users accessing the compromised pages within their trusted sessions.
Affected Products
- IBM QRadar Security Information and Event Manager 7.5.0 (Base installation)
- IBM QRadar Security Information and Event Manager 7.5.0 Update Packs 1-10
- Linux Kernel (as underlying platform)
Discovery Timeline
- December 7, 2024 - CVE-2024-47107 published to NVD
- July 25, 2025 - Last updated in NVD database
Technical Details for CVE-2024-47107
Vulnerability Analysis
This stored cross-site scripting vulnerability (CWE-79) exists within the IBM QRadar SIEM 7.5 Web UI. Unlike reflected XSS attacks that require social engineering to execute, stored XSS vulnerabilities persist malicious payloads within the application's data store. When other authenticated users access the page containing the stored payload, the malicious JavaScript executes within their browser context with full access to their session.
The vulnerability requires authentication to exploit, meaning an attacker must first obtain valid credentials to the QRadar system. However, once exploited, the impact extends beyond the attacker's own session, potentially compromising credentials and sensitive information from other users with access to the same QRadar deployment.
Root Cause
The root cause of this vulnerability is improper input sanitization and output encoding within the QRadar Web UI. User-supplied input is stored without adequate validation and subsequently rendered in web pages without proper escaping. This allows HTML and JavaScript content to be interpreted as code rather than data when displayed to users.
The absence of context-aware output encoding allows script tags and event handlers to persist in the application and execute in victims' browsers, bypassing the same-origin policy by executing within the trusted QRadar domain.
Attack Vector
The attack vector for CVE-2024-47107 is network-based, requiring user interaction from a victim to trigger the stored payload. An authenticated attacker can inject malicious JavaScript into a persistent storage location within QRadar. When other users navigate to pages displaying this stored content, the malicious script executes within their browser session.
The attack flow typically involves:
- An authenticated attacker identifies an input field that stores data without proper sanitization
- The attacker submits a payload containing malicious JavaScript code
- The payload is stored in the QRadar backend
- When other users view the page containing the stored data, the JavaScript executes in their browser
- The malicious script can exfiltrate session cookies, capture credentials, or perform actions on behalf of the victim
Since no verified code examples are available for this vulnerability, organizations should refer to the IBM Support Article for detailed technical information regarding the specific injection points and exploitation mechanics.
Detection Methods for CVE-2024-47107
Indicators of Compromise
- Unusual JavaScript patterns in QRadar database fields or log entries, particularly <script> tags or event handler attributes
- Unexpected outbound connections from client browsers while accessing QRadar console pages
- Session hijacking indicators such as concurrent sessions from different geographic locations
- Modified or injected content in QRadar UI elements that differs from expected configurations
Detection Strategies
- Implement Content Security Policy (CSP) headers and monitor for violation reports indicating attempted XSS execution
- Deploy Web Application Firewalls (WAF) with rules to detect stored XSS patterns in HTTP requests to QRadar
- Enable QRadar audit logging to track user input submissions and identify potentially malicious payloads
- Conduct periodic security scans of QRadar deployment using authenticated vulnerability scanners
Monitoring Recommendations
- Monitor QRadar access logs for suspicious patterns indicating payload injection attempts
- Configure alerts for CSP violation reports originating from QRadar domains
- Establish baseline behavioral analytics for user sessions and alert on anomalies such as unusual data access patterns
- Review browser network traffic from QRadar sessions for unexpected external connections
How to Mitigate CVE-2024-47107
Immediate Actions Required
- Apply the security patch from IBM immediately by following the instructions in the IBM Support Article
- Review QRadar audit logs for evidence of exploitation or suspicious user activity
- Restrict network access to QRadar Web UI to trusted IP ranges and VPN connections
- Rotate session tokens and credentials for all QRadar users as a precautionary measure
Patch Information
IBM has released a security update addressing this stored XSS vulnerability. Organizations should consult the official IBM Support Article for specific patch details and installation instructions. The affected versions include IBM QRadar SIEM 7.5.0 through Update Pack 10. Ensure your QRadar deployment is updated to the latest patched version as indicated in the IBM advisory.
Workarounds
- Implement strict Content Security Policy headers to prevent inline script execution until patching is complete
- Limit QRadar Web UI access to essential personnel and privileged administrators only
- Deploy network segmentation to isolate QRadar from general user networks
- Enable enhanced logging and monitoring on QRadar to detect potential exploitation attempts
# Example: Add Content Security Policy header via reverse proxy (Apache)
# Add to Apache configuration for QRadar virtual host
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';"
# Verify CSP header is applied
curl -I https://your-qradar-host/console | grep -i content-security-policy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
