CVE-2024-24398

CRITICAL

Stimulsoft Dashboard.JS < 2024.1.2 - Path Traversal via Save Function FileName Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-24398. PoCs published by trustcves.

AI-analyzed exploit summary The writeup details an arbitrary file write vulnerability in Stimulsoft Dashboards.PHP due to improper handling of the `fileName` parameter, allowing attackers to write files to any location accessible by the webserver user. The vulnerability is unauthenticated and was fixed in version 2024.1.3.

Description

Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function.

Exploits (1)

nomisec WRITEUP
by trustcves · poc
https://github.com/trustcves/CVE-2024-24398

The writeup details an arbitrary file write vulnerability in Stimulsoft Dashboards.PHP due to improper handling of the `fileName` parameter, allowing attackers to write files to any location accessible by the webserver user. The vulnerability is unauthenticated and was fixed in version 2024.1.3.

Classification
Writeup 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Stimulsoft Dashboards.PHP <2024.1.2
No auth needed
Prerequisites: Access to the Dashboards Application
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory
https://cves.at/posts/cve-2024-24398/writeup/

Scores

CVSS v3 9.8
EPSS 0.3050
EPSS Percentile 96.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
npm/stimulsoft-dashboards-js 0 - 2024.1.3npm
stimulsoft/dashboards.php < 2024.1.2
Published Feb 06, 2024
Tracked Since Feb 18, 2026