Skip to main content

CVE-2025-33118: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM QRadar SIEM

Medium
VulnerabilityCVE-2025-33118cvecve-2025-33118cwe-79
Published: Fri Aug 01 2025 (08/01/2025, 17:21:16 UTC)
Source: CVE Database V5
Vendor/Project: IBM
Product: QRadar SIEM

Description

IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 12 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

AI-Powered Analysis

AILast updated: 08/01/2025, 17:47:52 UTC

Technical Analysis

CVE-2025-33118 is a stored cross-site scripting (XSS) vulnerability affecting IBM QRadar SIEM versions 7.5 through 7.5.0 Update Pack 12. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing authenticated users to inject arbitrary JavaScript code into the Web UI. This injected script executes within the context of the victim's browser session, potentially altering the intended functionality of the application. Because the vulnerability is stored, the malicious script persists in the application and can affect multiple users who access the compromised interface. The attack requires the attacker to have authenticated access, but no user interaction beyond accessing the affected page is necessary for exploitation. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity by enabling credential disclosure and unauthorized actions within the trusted session, but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is critical for security monitoring environments since QRadar SIEM is widely used for threat detection and incident response, and compromise could undermine the integrity of security operations.

Potential Impact

For European organizations, the impact of this vulnerability can be significant due to the critical role IBM QRadar SIEM plays in security monitoring and incident response. Exploitation could lead to unauthorized disclosure of credentials and session hijacking, allowing attackers to manipulate security alerts, suppress detection of malicious activities, or escalate privileges within the SIEM environment. This undermines the trustworthiness of security data and could delay or prevent timely response to real threats. Given the GDPR and other stringent data protection regulations in Europe, any compromise leading to unauthorized access or data leakage could result in regulatory penalties and reputational damage. Furthermore, sectors such as finance, energy, telecommunications, and government agencies that rely heavily on QRadar for security operations are at heightened risk. The requirement for authenticated access somewhat limits the attack surface but insider threats or compromised credentials could facilitate exploitation. The lack of known exploits in the wild currently reduces immediate risk but organizations should proactively address the vulnerability to avoid future exploitation.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict user privileges in QRadar SIEM to the minimum necessary, reducing the number of users who can inject malicious scripts. 2) Implement strict input validation and output encoding on all user-supplied data within the QRadar Web UI, if customization or scripting is supported. 3) Monitor logs for unusual activity or unexpected script injections in the SIEM interface. 4) Apply any available IBM patches or updates as soon as they are released; if no patch is currently available, engage IBM support for recommended workarounds or temporary mitigations. 5) Employ multi-factor authentication (MFA) to reduce the risk of credential compromise that could enable exploitation. 6) Conduct regular security awareness training for administrators and users with access to QRadar to recognize phishing or social engineering attempts that could lead to credential theft. 7) Consider network segmentation and access controls to limit exposure of the QRadar Web UI to trusted networks only. 8) Use Content Security Policy (CSP) headers where possible to restrict execution of unauthorized scripts in the browser context.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
ibm
Date Reserved
2025-04-15T17:50:56.613Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 688cfa3cad5a09ad00cac523

Added to database: 8/1/2025, 5:32:44 PM

Last enriched: 8/1/2025, 5:47:52 PM

Last updated: 8/2/2025, 12:34:24 AM

Views: 7

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats