CVE-2024-24397: 
JavaScript vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Stimulsoft GmbH's Stimulsoft Dashboard.JS versions prior to v.2024.1.2. The vulnerability was discovered on January 10, 2024, and was assigned CVE-2024-24397. This security flaw affects the Stimulsoft Dashboard.JS application, which is a business intelligence platform for data visualization (Stimulsoft Website, CVE Details).

The vulnerability is a stored Cross-Site Scripting (XSS) issue that exists in the ReportName field of the application. When a report is loaded into the designer, the definition in the file does not get properly sanitized, allowing malicious payloads to persist. The vulnerability has been assigned a CVSS v3.1 score of 7.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L), indicating a high severity level (CVE Writeup).

The vulnerability allows remote attackers to execute arbitrary code via a crafted payload to the ReportName field. When exploited, the XSS payload can be triggered when a user clicks on Properties and expands the search bar in the dashboard designer, leading to potential data theft, session hijacking, or other malicious actions (CVE Writeup).

The vulnerability has been fixed in Stimulsoft Dashboard.JS version 2024.1.3, released on January 19, 2024. Users are advised to upgrade to this version or later to mitigate the security risk (CVE Writeup).