CRITICAL🇵🇱 Wersja polska

CVE-2024-24398

CVSS 9.8v3.1pub. 2024-02-06upd. 2026-07-05

Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function.

🤖 AI Analysis
How it works

An attacker sends a crafted payload to the fileName parameter of the Save function, containing path traversal sequences (e.g., '../'). The application does not properly validate the file path provided by the user, allowing the file to be written to any location accessible to the server process. By placing a malicious file (e.g., an executable script) outside the intended directory, the attacker can trigger arbitrary code execution.

Impact

An attacker can gain full control over the server by executing arbitrary code with the privileges of the application process. Data confidentiality loss, file modification or deletion, and complete service unavailability are possible.

Mitigation & patch

Stimulsoft Dashboard.JS should be updated to version 2024.1.2 or newer. It is also recommended to restrict network access to the application panel only to trusted IP addresses and to monitor file write attempts outside designated directories.

Who is affected

Stimulsoft Dashboard.JS in versions prior to 2024.1.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Stimulsoft Dashboards.php

    APP
    Stimulsoft
    < 2024.1.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2023-25261CRITICAL9.8ten sam vendor

Certain Stimulsoft GmbH products are affected by: Remote Code Execution. This affects Stimulsoft Designer (Des...

CVE-2021-42777CRITICAL9.8ten sam vendor

Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execut...

CVE-2020-15865CRITICAL9.8ten sam vendor

A Remote Code Execution vulnerability in Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0 allows an attacker ...

CVE-2023-25262HIGH7.5ten sam vendor

Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe R...

CVE-2023-25260HIGH7.5ten sam vendor

Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion.