CVE-2024-24396

MEDIUM

Stimulsoft Dashboard.JS < 2024.1.2 - Remote Code Execution via Search Bar Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-24396. PoCs published by trustcves.

AI-analyzed exploit summary This writeup details a reflected XSS vulnerability in Stimulsoft Dashboards.JS, where arbitrary JavaScript can be injected via the search bar. The vulnerability is unauthenticated and was fixed in version 2024.1.3.

Description

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.

Exploits (1)

nomisec WRITEUP

by trustcves · poc

https://github.com/trustcves/CVE-2024-24396

View Code ZIP pw:eip

This writeup details a reflected XSS vulnerability in Stimulsoft Dashboards.JS, where arbitrary JavaScript can be injected via the search bar. The vulnerability is unauthenticated and was fixed in version 2024.1.3.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Stimulsoft Dashboards.JS <2024.1.2

No auth needed

Prerequisites: Access to the Dashboards Application

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Core References

Product

http://stimulsoft.com

Permissions Required

https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R

Exploit, Third Party Advisory

https://cves.at/posts/cve-2024-24396/writeup/

Scores

CVSS v3 6.1

EPSS 0.0178

EPSS Percentile 83.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-94 CWE-79

Status published

Products (2)

npm/stimulsoft-dashboards-js 0 - 2024.1.2npm

stimulsoft/dashboard.js < 2024.1.2

Published Feb 05, 2024

Tracked Since Feb 18, 2026