Overview A significant security vulnerability, identified as CVE-2025-34266, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability is a stored cross-site scripting (XSS) issue that allows attackers to inject malicious scripts into the application. Successful exploitation could lead to session compromise and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/plugin-config/addins/menus endpoint. An authenticated user with the ability to add or edit AddIns menu entries can inject malicious JavaScript code into the ‘label’ or ‘path’ fields of the AddIns menu configuration. These values are then stored and rendered in the AddIns UI without proper HTML…
-
-
Overview A significant security vulnerability, identified as CVE-2025-34265, has been discovered in Advantech WISE-DeviceOn Server. This vulnerability affects versions prior to 5.4 and is classified as a stored cross-site scripting (XSS) issue. Technical Details The vulnerability resides in the /rmm/v1/rule-engines endpoint. Specifically, when an authenticated user creates or updates a rule for an agent, the fields ‘min’, ‘max’, and ‘unit’ are stored without proper HTML sanitization. These unsanitized fields are then rendered in rule listings or detail views. An attacker can exploit this by injecting malicious JavaScript code into these fields. When a user views or interacts with the affected…
-
Overview CVE-2025-34264 details a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability resides in the `/rmm/v1/dog/{agentId}` endpoint, specifically related to the Software Watchdog feature. Technical Details The vulnerability occurs when an authenticated user adds or edits Software Watchdog process rules for an agent. The monitored process name, which is stored in the settings array, is subsequently rendered in the Software Watchdog UI without proper HTML sanitization. This lack of input validation allows an attacker to inject malicious JavaScript code into the process name field. When a user views or interacts with the affected…
-
Overview CVE-2025-34263 is a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an attacker to inject malicious scripts into the dashboard configuration, which are then executed in the browsers of other users who interact with the compromised dashboard. This can lead to session hijacking and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/plugin-config/dashboards/menus endpoint. Authenticated users can add or edit dashboard entries, specifying labels and paths. These values are stored in the plugin configuration data and subsequently rendered in the dashboard UI without proper HTML sanitization. An attacker can exploit…
-
Overview CVE-2025-34262 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This flaw allows an authenticated attacker to inject malicious JavaScript code into device names, which is then executed in the browsers of other users interacting with the affected devices. This can lead to session hijacking and unauthorized actions, posing a significant security risk. Technical Details The vulnerability resides in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored without proper HTML sanitization. Subsequently, this unsanitized name is rendered in device listings or detail views within the WISE-DeviceOn…
-
Overview CVE-2025-34261 details a stored cross-site scripting (XSS) vulnerability found in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability resides within the /rmm/v1/devicegroups/ endpoint. It allows an authenticated attacker to inject malicious JavaScript code into device group names and descriptions. This code is then executed in the browser context of other users who interact with those device groups, leading to potential session compromise and unauthorized actions. Technical Details The vulnerability stems from a lack of proper HTML sanitization when rendering device group names and descriptions within the WISE-DeviceOn Server interface. Specifically, when an authenticated user creates a device group,…
-
Overview A stored cross-site scripting (XSS) vulnerability, identified as CVE-2025-34260, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an attacker to inject malicious script into the schedule name of an existing task. When other users view or interact with the affected schedule, the injected script executes within their browser context, potentially leading to session compromise and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/action/schedule endpoint. An authenticated user can add a schedule to an existing task through this endpoint. The schedule name provided by the user is stored in the system’s database…
-
Overview A significant security vulnerability, identified as CVE-2025-34259, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability is a stored cross-site scripting (XSS) flaw located within the /rmm/v1/devicemap/building endpoint. This allows attackers to inject malicious scripts into the application, potentially compromising user sessions and enabling unauthorized actions. Technical Details The vulnerability exists because the name parameter, used when creating a map entry via the /rmm/v1/devicemap/building endpoint, is not properly sanitized before being stored and rendered in the map list UI. An authenticated user with malicious intent can inject arbitrary HTML and JavaScript code into the name…
-
Overview CVE-2025-34258 describes a stored cross-site scripting (XSS) vulnerability found in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an authenticated attacker to inject malicious JavaScript code into the application, which can then be executed in the browser of other users, potentially leading to session hijacking, data theft, and other malicious activities. This poses a significant risk to organizations using the affected software. Technical Details The vulnerability exists in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored without proper HTML sanitization. This allows an attacker to insert…
-
Overview CVE-2025-34257 describes a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists within the /rmm/v1/action/defined endpoint. An authenticated attacker can inject malicious JavaScript code into the defined_name field when creating a task. This code is then stored by the server and executed in the browser of other users who view the task’s Overview page, leading to potential session hijacking and unauthorized actions. Technical Details The vulnerability stems from a lack of proper HTML sanitization of the defined_name value. When an authenticated user creates a new task within the WISE-DeviceOn Server, the provided…