Overview
CVE-2025-34261 details a stored cross-site scripting (XSS) vulnerability found in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability resides within the /rmm/v1/devicegroups/ endpoint. It allows an authenticated attacker to inject malicious JavaScript code into device group names and descriptions. This code is then executed in the browser context of other users who interact with those device groups, leading to potential session compromise and unauthorized actions.
Technical Details
The vulnerability stems from a lack of proper HTML sanitization when rendering device group names and descriptions within the WISE-DeviceOn Server interface. Specifically, when an authenticated user creates a device group, the provided name and description are stored in the system. Subsequently, these values are displayed in device group listings without being properly escaped or sanitized. An attacker can exploit this by crafting a malicious device group name or description containing JavaScript code (e.g., <script>alert('XSS')</script>). When another user views the device group, the injected script executes in their browser. This gives the attacker the ability to steal cookies, modify the page content, or redirect the user to a malicious website.
CVSS Analysis
Currently, the CVSS score is listed as N/A. However, based on the nature of the vulnerability (stored XSS), it is likely to be assigned a HIGH severity rating. A typical CVSS score for a stored XSS vulnerability ranges between 7.0 and 8.8, depending on the attack complexity and scope. The ability to execute arbitrary JavaScript in the context of another user poses a significant risk.
Possible Impact
The impact of this vulnerability can be significant:
- Session Compromise: Attackers can steal user session cookies, allowing them to impersonate victims and gain unauthorized access to the WISE-DeviceOn Server.
- Account Takeover: With compromised sessions, attackers can change user credentials, effectively taking over accounts.
- Data Theft: Attackers can access and exfiltrate sensitive data managed by the WISE-DeviceOn Server.
- Malware Distribution: Attackers can inject malicious code that redirects users to websites hosting malware.
- Defacement: Attackers can modify the appearance of the WISE-DeviceOn Server interface, causing disruption and potentially spreading misinformation.
Mitigation and Patch Steps
The primary mitigation step is to upgrade to Advantech WISE-DeviceOn Server version 5.4 or later. This version contains a fix that properly sanitizes user-supplied input, preventing the execution of malicious JavaScript code. Immediate action is recommended.
In the interim, consider the following workarounds, although they are less effective than patching:
- Input Validation: Implement strict input validation on the server-side for device group names and descriptions. Reject any input containing HTML tags or JavaScript code.
- Content Security Policy (CSP): Implement a strong CSP to restrict the sources from which the browser can load resources, mitigating the impact of XSS attacks.
- Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities in the WISE-DeviceOn Server and its associated applications.
References
Advantech Security Advisory for WISE-DeviceOn
Advantech WISE-DeviceOn Documentation
VulnCheck Advisory: Advantech WISE-DeviceOn Server Authenticated Stored XSS via Devicegroups
