CVE-2023-47731 in QRadar Suite Software
Summary
by MITRE • 04/23/2024
IBM QRadar Suite Software 1.10.12.0 through 1.10.19.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 272203.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/13/2025
The vulnerability identified as CVE-2023-47731 represents a critical stored cross-site scripting flaw within IBM QRadar Suite Software and IBM Cloud Pak for Security platforms. This security weakness exists in specific version ranges including QRadar Suite Software 1.10.12.0 through 1.10.19.0 and Cloud Pak for Security 1.10.0.0 through 1.10.11.0, creating a significant risk for organizations relying on these security information and event management systems. The flaw allows attackers to inject malicious JavaScript code into the web interface, which persists and executes when other users access the affected pages, making it particularly dangerous in environments where multiple administrators and analysts interact with the system. This vulnerability falls under the CWE-079 category of Cross-Site Scripting, specifically classified as a stored XSS attack pattern where malicious scripts are permanently stored on the server and executed when users view the compromised content.
The technical implementation of this vulnerability enables attackers to manipulate the web application's user interface in ways that can compromise user sessions and extract sensitive information. When users interact with the affected web UI components, the embedded JavaScript code executes within their browser context, potentially stealing session cookies, credentials, or other sensitive data transmitted within the trusted session. The attack vector leverages the web application's failure to properly sanitize user input before storing and rendering it, creating an environment where malicious payloads can persist indefinitely. This stored nature means that the attack remains effective even after the initial injection, as the malicious code is saved in the application's database or storage mechanisms. The vulnerability's impact is amplified in security operations centers where QRadar and Cloud Pak for Security are extensively used, as these systems typically contain privileged access to critical infrastructure monitoring and threat detection capabilities.
The operational consequences of this vulnerability extend beyond simple data theft, potentially enabling attackers to establish persistent access within security operations environments. Organizations using these platforms may experience unauthorized access to security event data, alert management capabilities, and system configuration settings that could be exploited to cover tracks or manipulate security monitoring. The attack's ability to operate within trusted sessions makes it particularly insidious, as the malicious code can execute with the privileges of authenticated users, potentially allowing for privilege escalation or lateral movement within the security infrastructure. The vulnerability's presence in both QRadar Suite Software and Cloud Pak for Security platforms creates a unified threat surface that requires coordinated remediation efforts across both systems, potentially affecting organizations that have integrated these solutions as part of their broader security architecture. This vulnerability aligns with ATT&CK technique T1531 for credential access through manipulation of authentication processes, as it can be used to extract session tokens and authentication information.
Organizations should implement immediate mitigation strategies including applying the vendor-provided patches and updates that address the stored XSS vulnerability in the affected software versions. Network segmentation and monitoring of user interactions with the vulnerable web interface components can help detect potential exploitation attempts. Security teams should also consider implementing content security policies and input validation controls to reduce the impact of potential attacks, while conducting thorough security assessments of all user input handling mechanisms within the affected platforms. The vulnerability demonstrates the importance of proper input sanitization and output encoding in web applications, as recommended by OWASP security best practices and the CWE guidelines for preventing cross-site scripting attacks. Organizations should also review their incident response procedures to ensure readiness for potential exploitation of this vulnerability, particularly in environments where these platforms serve as central security monitoring and response systems.