Overview
A stored cross-site scripting (XSS) vulnerability, identified as CVE-2025-34260, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an attacker to inject malicious script into the schedule name of an existing task. When other users view or interact with the affected schedule, the injected script executes within their browser context, potentially leading to session compromise and unauthorized actions.
Technical Details
The vulnerability resides in the /rmm/v1/action/schedule endpoint. An authenticated user can add a schedule to an existing task through this endpoint. The schedule name provided by the user is stored in the system’s database without proper HTML sanitization or encoding. When the schedule name is subsequently rendered in schedule listings within the application, the stored XSS payload is executed. This occurs because the application fails to neutralize or escape the malicious script before displaying it to the user.
Attackers can exploit this vulnerability by crafting a malicious schedule name containing JavaScript code. For example, a schedule name could be: <script>alert('XSS Vulnerability!')</script>. When another user views the schedule, this script will execute, demonstrating the vulnerability. More sophisticated payloads could be used to steal cookies, redirect users to phishing sites, or perform other malicious actions on behalf of the victim user.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-34260 is currently N/A. However, given the nature of the vulnerability (stored XSS) and its potential impact (session compromise, unauthorized actions), it is likely to be classified as a medium to high severity vulnerability once a score is assigned.
Possible Impact
The exploitation of this stored XSS vulnerability can have significant consequences:
- Session Hijacking: An attacker can steal a user’s session cookie and gain unauthorized access to their account.
- Account Takeover: By stealing session cookies or performing other actions, an attacker can potentially take over user accounts.
- Data Theft: An attacker can steal sensitive data accessible to the compromised user.
- Malware Distribution: An attacker can use the compromised account to distribute malware to other users within the Advantech WISE-DeviceOn Server environment.
- Defacement: An attacker might modify the appearance of the Advantech WISE-DeviceOn Server interface visible to other users.
Mitigation or Patch Steps
Advantech has released version 5.4 of WISE-DeviceOn Server to address this vulnerability. Users are strongly advised to upgrade to version 5.4 or later as soon as possible. The upgrade includes proper input sanitization and output encoding to prevent the execution of malicious scripts. Apply the patch following the official Advantech documentation.
