CVE-2024-24397 is a Cross Site Scripting (XSS) vulnerability identified in Stimulsoft GmbH's Stimulsoft Dashboard.JS product, affecting versions prior to 2024.1.2. This vulnerability arises from improper sanitization or validation of user-supplied input in the ReportName field, allowing a remote attacker to inject malicious scripts. When a crafted payload is submitted to this field, the malicious code can be executed within the context of the victim's browser session. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4 (medium severity), with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the attack can be performed remotely over the network with low attack complexity, requires low privileges and user interaction, and impacts confidentiality and integrity with a scope change. The vulnerability does not affect availability. No known exploits in the wild have been reported yet, and no official patches or updates have been linked at the time of publication. The vulnerability allows attackers to execute arbitrary code in the victim's browser, potentially leading to session hijacking, data theft, or unauthorized actions within the affected web application environment. Given that Stimulsoft Dashboard.JS is a JavaScript-based dashboard and reporting tool used to create interactive reports and dashboards, exploitation could compromise sensitive business intelligence data or user credentials if exploited in a targeted environment.

For European organizations using Stimulsoft Dashboard.JS, this vulnerability poses a risk to the confidentiality and integrity of their reporting and dashboard data. Attackers exploiting this XSS flaw could execute malicious scripts in the context of authenticated users, potentially leading to session hijacking, unauthorized data access, or manipulation of displayed information. This could result in leakage of sensitive business intelligence, financial data, or personally identifiable information (PII), which is subject to strict regulatory frameworks such as GDPR. The scope change indicated by the CVSS vector suggests that the vulnerability could affect multiple users or systems within an organization once exploited. While availability is not directly impacted, the reputational damage and compliance risks from data breaches could be significant. Additionally, since the attack requires low privileges but user interaction, phishing or social engineering campaigns could be used to lure users into triggering the exploit. Organizations relying heavily on Stimulsoft Dashboard.JS for critical reporting functions may experience operational disruptions if trust in the integrity of their dashboards is compromised.

European organizations should prioritize updating Stimulsoft Dashboard.JS to version 2024.1.2 or later once the patch is officially released by the vendor. Until then, specific mitigations include: 1) Implement strict input validation and output encoding on the ReportName field at the application layer to neutralize malicious scripts. 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3) Conduct user awareness training to reduce the risk of social engineering attacks that could trigger the vulnerability. 4) Monitor web application logs for suspicious input patterns targeting the ReportName field. 5) Use web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this vulnerability. 6) Limit user privileges where possible to reduce the impact of exploitation. 7) Regularly audit and review third-party components and dependencies for vulnerabilities. These targeted measures go beyond generic advice by focusing on the specific vulnerable input vector and the operational context of the affected product.