CVE-2024-24397

MEDIUM

stimulsoft dashboards.js < 2024.1.2 - Cross-Site Scripting via ReportName Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-24397. PoCs published by trustcves.

AI-analyzed exploit summary The writeup details a Stored Cross-Site Scripting (XSS) vulnerability in Stimulsoft Dashboards.JS, where an attacker can inject malicious scripts into the `ReportName` field, which executes when the report is loaded and the user interacts with the properties panel. The vulnerability is unauthenticated and affects versions prior to 2024.1.3.

Description

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the ReportName field.

Exploits (1)

nomisec WRITEUP
by trustcves · poc
https://github.com/trustcves/CVE-2024-24397

The writeup details a Stored Cross-Site Scripting (XSS) vulnerability in Stimulsoft Dashboards.JS, where an attacker can inject malicious scripts into the `ReportName` field, which executes when the report is loaded and the user interacts with the properties panel. The vulnerability is unauthenticated and affects versions prior to 2024.1.3.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Stimulsoft Dashboards.JS <2024.1.2
No auth needed
Prerequisites: Access to the Dashboards Application
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0122
EPSS Percentile 79.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
npm/stimulsoft-dashboards-js 0 - 2024.1.2npm
stimulsoft/dashboards.js < 2024.1.2
Published Feb 05, 2024
Tracked Since Feb 18, 2026