CVE-2024-24398
https://notcve.org/view.php?id=CVE-2024-24398
Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function. Vulnerabilidad de Directory Traversal en Stimulsoft GmbH Stimulsoft Dashboard.JS anterior a v.2024.1.2 permite a un atacante remoto ejecutar código arbitrario a través de un payload manipulado en el parámetro fileName de la función Guardar. • https://github.com/trustcves/CVE-2024-24398 http://stimulsoft.com https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R https://cves.at/posts/cve-2024-24398/writeup • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-24397
https://notcve.org/view.php?id=CVE-2024-24397
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the ReportName field. Vulnerabilidad de Cross Site Scripting en Stimulsoft GmbH Stimulsoft Dashboard.JS anterior a v.2024.1.2 permite a un atacante remoto ejecutar código arbitrario a través de un payload manipulado en el campo ReportName. • https://github.com/trustcves/CVE-2024-24397 http://stimulsoft.com https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R https://cves.at/posts/cve-2024-24397/writeup • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-24396
https://notcve.org/view.php?id=CVE-2024-24396
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component. Vulnerabilidad de Cross Site Scripting en Stimulsoft GmbH Stimulsoft Dashboard.JS anterior a v.2024.1.2 permite a un atacante remoto ejecutar código arbitrario a través de un payload diseñado en el componente de la barra de búsqueda. • https://github.com/trustcves/CVE-2024-24396 http://stimulsoft.com https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R https://cves.at/posts/cve-2024-24396/writeup • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-25262
https://notcve.org/view.php?id=CVE-2023-25262
Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe Reporting Designer (Web) offers the possibility to embed sources from external locations. If the user chooses an external location, the request to that resource is performed by the server rather than the client. Therefore, the server causes outbound traffic and potentially imports data. An attacker may also leverage this behaviour to exfiltrate data of machines on the internal network of the server hosting the Stimulsoft Reporting Designer (Web). • https://github.com/trustcves/CVE-2023-25262 http://stimulsoft.com https://cloud-trustit.spp.at/s/HjEksN86SfsMaJM https://cves.at/posts/cve-2023-25262/writeup • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-25260
https://notcve.org/view.php?id=CVE-2023-25260
Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Local File Inclusion. • https://github.com/trustcves/CVE-2023-25260 http://stimulsoft.com https://cloud-trustit.spp.at/s/K9ZXWzEmftaxa3C https://cves.at/posts/cve-2023-25260/writeup •