关联漏洞
标题:IBM QRadar SIEM 跨站脚本漏洞 (CVE-2024-28784)Description:IBM QRadar SIEM是美国国际商业机器(IBM)公司的一套利用安全智能保护资产和信息远离高级威胁的解决方案。该方案提供对整个IT架构范围进行监督、生成详细的数据访问和用户活动报告等功能。 IBM QRadar SIEM 7.5版本存在跨站脚本漏洞,该漏洞源于允许用户在 Web UI 中嵌入任意 JavaScript 代码,从而改变预期功能,可能导致受信任会话中的凭据泄露。
Description
Technical disclosure for CVE-2024-28784 — a stored XSS vulnerability in IBM QRadar SIEM 7.5.0 UpdatePackage 7. The issue affects the Rule Wizard component and allows persistent JavaScript injection via malformed regular expressions. Includes PoC, impact analysis, and mitigation advice.
介绍
# CVE-2024-28784 — Stored XSS in IBM QRadar SIEM Rule Wizard
## 🛠 Product Information
- **Vendor:** IBM
- **Product:** IBM Security QRadar SIEM
- **Affected Version:** 7.5.0 UpdatePackage 7 (Build 20230822112654)
- **Component:** Rule Wizard (Regular Expression Logic Block)
- **CVE ID:** [CVE-2024-28784](https://nvd.nist.gov/vuln/detail/CVE-2024-28784)
---
## 🐞 Vulnerability Summary
A **stored cross-site scripting (XSS)** vulnerability exists in the Rule Wizard component of QRadar SIEM. The issue lies in the improper sanitization of user-controlled input within the "regular expression" logic block. Malicious input containing unescaped HTML/JavaScript can be stored and later executed in the browser context of other authenticated users.
---
## 📋 Steps to Reproduce
1. Log into QRadar SIEM with a user account that has **rule creation/edit permissions**.
2. Navigate to:
`Offense → Rules → Actions → New Event Rule`
3. Add a condition block:
**"when any of these properties match this regular expression"** .
4. Choose any property.
5. In the "this regular expression" input, enter the following payload:
```html
"><script>alert(alert('XSS'))</script>
```
6. Click **Submit**.
7. Reopen the rule block; the malicious payload persists and triggers upon interaction or load.
---
## 🔐 Access Requirements
- **Authentication:** Yes
- **Privileges:** Any user with access to rule creation/editing
---
## ⚙️ Technical Details
- **Vulnerability Type:** Stored Cross-site Scripting (XSS)
- **Vector:** Web UI → Rule Wizard
- **Injection Point:** Regular Expression field
- **Persistence:** Stored in configuration and triggered on view
- **Security Misstep:** Improper input sanitization and reflection in HTML context
---
## ⚠️ Impact
This XSS vulnerability allows an attacker to:
- Execute arbitrary JavaScript in another user’s browser session
- Perform session hijacking or token theft
- Steal sensitive data from authenticated users
- Impersonate users or elevate privileges (if privileged users trigger the payload)
- Redirect victims to phishing or malicious domains
---
## 🧪 Exploitation Notes
- Exploitation is **non-trivial**, requiring an attacker to inject the payload and a victim to interact with the infected rule interface.
- The attack does **not require social engineering** if users frequently interact with saved rules.
---
## 🏁 Timeline
| Date | Event |
|----------------|---------------------------------------|
| 2024-03-18 | Vulnerability discovered |
| 2024-03-18 | Reported to IBM via HackerOne |
| 2024-04-02 | CVE-2024-28784 assigned |
---
## 📄 Disclaimer
This research was conducted under ethical guidelines and in a responsible disclosure process. No production systems were harmed. This publication is for educational and defensive purposes only.
---
## 👤 Author
**Rodrigo Hormazábal**
Security Researcher — SOAR & SIEM Automation
🔗 [LinkedIn](https://www.linkedin.com/in/rodrigo-hormazabal-cybersec/)
🧑💻 [GitHub](https://github.com/CainSoulless)
🐙 [HackerOne](https://hackerone.com/cainsoulless)
文件快照
[4.0K] /data/pocs/788f4a7c32dea2d5fc51493122f9c3b461cd2d7e
├── [4.0K] img
│ ├── [9.1K] imagen-2.png
│ ├── [6.8K] imagen-3.png
│ └── [ 33K] imagen.png
└── [3.2K] README.md
1 directory, 4 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →