CVE-2024-12223 in Prism Central
Summary
by MITRE • 08/20/2025
Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user’s session and perform actions in their security context.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/20/2025
The vulnerability identified as CVE-2024-12223 affects Prism Central platforms running versions earlier than 2024.3.1, specifically targeting the Events component where a stored cross-site scripting flaw exists. This vulnerability represents a critical security weakness that enables attackers to inject malicious scripts into the application's event logging system, which then executes when other users view these events. The flaw allows threat actors to manipulate the application's data handling mechanisms and persist malicious code within the system's event records.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the Events component of Prism Central. When users generate or view events within the system, the application fails to properly sanitize user-supplied data before storing and rendering it in subsequent user interfaces. This stored XSS vulnerability operates under CWE-079 which specifically addresses Cross-Site Scripting flaws where applications fail to validate or encode user-controllable data. The vulnerability allows attackers to execute scripts in the context of authenticated users, potentially enabling complete session hijacking and unauthorized administrative actions.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to privileged user sessions within the Prism Central environment. Once exploited, threat actors can leverage the compromised sessions to perform actions such as modifying security policies, accessing sensitive configuration data, viewing restricted logs, and potentially escalating privileges within the system. The stored nature of this vulnerability means that the malicious payload remains active even after the initial injection, continuously affecting any user who views the compromised event records. This persistent threat aligns with ATT&CK technique T1531 which covers "Modify System Image" and T1078 which covers "Valid Accounts" as attackers can maintain access through hijacked sessions.
Mitigation strategies for CVE-2024-12223 require immediate implementation of version updates to Prism Central 2024.3.1 or later, which includes proper input validation and output encoding controls for the Events component. Organizations should also implement additional security measures such as web application firewalls that can detect and block suspicious script payloads, regular security scanning of event data for malicious content, and comprehensive user access controls. The remediation process must include thorough testing of the updated system to ensure that the XSS protections are functioning correctly and that no other components have similar vulnerabilities. Security teams should also conduct immediate review of event logs for signs of exploitation attempts and implement monitoring solutions to detect anomalous user behavior patterns that may indicate session hijacking activities.