Technical disclosure for CVE-2024-28784 — a stored XSS vulnerability in IBM QRadar SIEM 7.5.0 UpdatePackage 7. The issue affects the Rule Wizard component and allows persistent JavaScript injection via malformed regular expressions. Includes PoC, impact analysis, and mitigation advice.# CVE-2024-28784 — Stored XSS in IBM QRadar SIEM Rule Wizard
## 🛠 Product Information
- **Vendor:** IBM
- **Product:** IBM Security QRadar SIEM
- **Affected Version:** 7.5.0 UpdatePackage 7 (Build 20230822112654)
- **Component:** Rule Wizard (Regular Expression Logic Block)
- **CVE ID:** [CVE-2024-28784](https://nvd.nist.gov/vuln/detail/CVE-2024-28784)
---
## 🐞 Vulnerability Summary
A **stored cross-site scripting (XSS)** vulnerability exists in the Rule Wizard component of QRadar SIEM. The issue lies in the improper sanitization of user-controlled input within the "regular expression" logic block. Malicious input containing unescaped HTML/JavaScript can be stored and later executed in the browser context of other authenticated users.
---
## 📋 Steps to Reproduce
1. Log into QRadar SIEM with a user account that has **rule creation/edit permissions**.
2. Navigate to:
`Offense → Rules → Actions → New Event Rule`
3. Add a condition block:
**"when any of these properties match this regular expression"** .
4. Choose any property.
5. In the "this regular expression" input, enter the following payload:
```html
"><script>alert(alert('XSS'))</script>
```
6. Click **Submit**.
7. Reopen the rule block; the malicious payload persists and triggers upon interaction or load.
---
## 🔐 Access Requirements
- **Authentication:** Yes
- **Privileges:** Any user with access to rule creation/editing
---
## ⚙️ Technical Details
- **Vulnerability Type:** Stored Cross-site Scripting (XSS)
- **Vector:** Web UI → Rule Wizard
- **Injection Point:** Regular Expression field
- **Persistence:** Stored in configuration and triggered on view
- **Security Misstep:** Improper input sanitization and reflection in HTML context
---
## ⚠️ Impact
This XSS vulnerability allows an attacker to:
- Execute arbitrary JavaScript in another user’s browser session
- Perform session hijacking or token theft
- Steal sensitive data from authenticated users
- Impersonate users or elevate privileges (if privileged users trigger the payload)
- Redirect victims to phishing or malicious domains
---
## 🧪 Exploitation Notes
- Exploitation is **non-trivial**, requiring an attacker to inject the payload and a victim to interact with the infected rule interface.
- The attack does **not require social engineering** if users frequently interact with saved rules.
---
## 🏁 Timeline
| Date | Event |
|----------------|---------------------------------------|
| 2024-03-18 | Vulnerability discovered |
| 2024-03-18 | Reported to IBM via HackerOne |
| 2024-04-02 | CVE-2024-28784 assigned |
---
## 📄 Disclaimer
This research was conducted under ethical guidelines and in a responsible disclosure process. No production systems were harmed. This publication is for educational and defensive purposes only.
---
## 👤 Author
**Rodrigo Hormazábal**
Security Researcher — SOAR & SIEM Automation
🔗 [LinkedIn](https://www.linkedin.com/in/rodrigo-hormazabal-cybersec/)
🧑💻 [GitHub](https://github.com/CainSoulless)
🐙 [HackerOne](https://hackerone.com/cainsoulless)
[4.0K] /data/pocs/788f4a7c32dea2d5fc51493122f9c3b461cd2d7e
├── [4.0K] img
│ ├── [9.1K] imagen-2.png
│ ├── [6.8K] imagen-3.png
│ └── [ 33K] imagen.png
└── [3.2K] README.md
1 directory, 4 files