CVE-2025-33118: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM QRadar SIEM
IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 12 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
AI Analysis
Technical Summary
CVE-2025-33118 is a stored cross-site scripting (XSS) vulnerability affecting IBM QRadar SIEM versions 7.5 through 7.5.0 Update Pack 12. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing authenticated users to inject arbitrary JavaScript code into the Web UI. This injected script executes within the context of the victim's browser session, potentially altering the intended functionality of the application. Because the vulnerability is stored, the malicious script persists in the application and can affect multiple users who access the compromised interface. The attack requires the attacker to have authenticated access, but no user interaction beyond accessing the affected page is necessary for exploitation. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity by enabling credential disclosure and unauthorized actions within the trusted session, but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is critical for security monitoring environments since QRadar SIEM is widely used for threat detection and incident response, and compromise could undermine the integrity of security operations.
Potential Impact
For European organizations, the impact of this vulnerability can be significant due to the critical role IBM QRadar SIEM plays in security monitoring and incident response. Exploitation could lead to unauthorized disclosure of credentials and session hijacking, allowing attackers to manipulate security alerts, suppress detection of malicious activities, or escalate privileges within the SIEM environment. This undermines the trustworthiness of security data and could delay or prevent timely response to real threats. Given the GDPR and other stringent data protection regulations in Europe, any compromise leading to unauthorized access or data leakage could result in regulatory penalties and reputational damage. Furthermore, sectors such as finance, energy, telecommunications, and government agencies that rely heavily on QRadar for security operations are at heightened risk. The requirement for authenticated access somewhat limits the attack surface but insider threats or compromised credentials could facilitate exploitation. The lack of known exploits in the wild currently reduces immediate risk but organizations should proactively address the vulnerability to avoid future exploitation.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict user privileges in QRadar SIEM to the minimum necessary, reducing the number of users who can inject malicious scripts. 2) Implement strict input validation and output encoding on all user-supplied data within the QRadar Web UI, if customization or scripting is supported. 3) Monitor logs for unusual activity or unexpected script injections in the SIEM interface. 4) Apply any available IBM patches or updates as soon as they are released; if no patch is currently available, engage IBM support for recommended workarounds or temporary mitigations. 5) Employ multi-factor authentication (MFA) to reduce the risk of credential compromise that could enable exploitation. 6) Conduct regular security awareness training for administrators and users with access to QRadar to recognize phishing or social engineering attempts that could lead to credential theft. 7) Consider network segmentation and access controls to limit exposure of the QRadar Web UI to trusted networks only. 8) Use Content Security Policy (CSP) headers where possible to restrict execution of unauthorized scripts in the browser context.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Finland
CVE-2025-33118: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in IBM QRadar SIEM
Description
IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 12 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
AI-Powered Analysis
Technical Analysis
CVE-2025-33118 is a stored cross-site scripting (XSS) vulnerability affecting IBM QRadar SIEM versions 7.5 through 7.5.0 Update Pack 12. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing authenticated users to inject arbitrary JavaScript code into the Web UI. This injected script executes within the context of the victim's browser session, potentially altering the intended functionality of the application. Because the vulnerability is stored, the malicious script persists in the application and can affect multiple users who access the compromised interface. The attack requires the attacker to have authenticated access, but no user interaction beyond accessing the affected page is necessary for exploitation. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. The impact primarily affects confidentiality and integrity by enabling credential disclosure and unauthorized actions within the trusted session, but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is critical for security monitoring environments since QRadar SIEM is widely used for threat detection and incident response, and compromise could undermine the integrity of security operations.
Potential Impact
For European organizations, the impact of this vulnerability can be significant due to the critical role IBM QRadar SIEM plays in security monitoring and incident response. Exploitation could lead to unauthorized disclosure of credentials and session hijacking, allowing attackers to manipulate security alerts, suppress detection of malicious activities, or escalate privileges within the SIEM environment. This undermines the trustworthiness of security data and could delay or prevent timely response to real threats. Given the GDPR and other stringent data protection regulations in Europe, any compromise leading to unauthorized access or data leakage could result in regulatory penalties and reputational damage. Furthermore, sectors such as finance, energy, telecommunications, and government agencies that rely heavily on QRadar for security operations are at heightened risk. The requirement for authenticated access somewhat limits the attack surface but insider threats or compromised credentials could facilitate exploitation. The lack of known exploits in the wild currently reduces immediate risk but organizations should proactively address the vulnerability to avoid future exploitation.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately review and restrict user privileges in QRadar SIEM to the minimum necessary, reducing the number of users who can inject malicious scripts. 2) Implement strict input validation and output encoding on all user-supplied data within the QRadar Web UI, if customization or scripting is supported. 3) Monitor logs for unusual activity or unexpected script injections in the SIEM interface. 4) Apply any available IBM patches or updates as soon as they are released; if no patch is currently available, engage IBM support for recommended workarounds or temporary mitigations. 5) Employ multi-factor authentication (MFA) to reduce the risk of credential compromise that could enable exploitation. 6) Conduct regular security awareness training for administrators and users with access to QRadar to recognize phishing or social engineering attempts that could lead to credential theft. 7) Consider network segmentation and access controls to limit exposure of the QRadar Web UI to trusted networks only. 8) Use Content Security Policy (CSP) headers where possible to restrict execution of unauthorized scripts in the browser context.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- ibm
- Date Reserved
- 2025-04-15T17:50:56.613Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 688cfa3cad5a09ad00cac523
Added to database: 8/1/2025, 5:32:44 PM
Last enriched: 8/1/2025, 5:47:52 PM
Last updated: 8/2/2025, 12:34:24 AM
Views: 7
Related Threats
CVE-2025-8146: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in qodeinteractive Qi Addons For Elementor
MediumCVE-2025-24855: CWE-416 Use After Free in xmlsoft libxslt
HighCVE-2025-7694: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in WofficeIO Woffice Core
MediumCVE-2025-6078: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Partner Software Partner Web
HighCVE-2025-6077: CWE-1391 in Partner Software Partner Web
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.