Overview CVE-2025-34263 is a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an attacker to inject malicious scripts into the dashboard configuration, which are then executed in the browsers of other users who interact with the compromised dashboard. This can lead to session hijacking and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/plugin-config/dashboards/menus endpoint. Authenticated users can add or edit dashboard entries, specifying labels and paths. These values are stored in the plugin configuration data and subsequently rendered in the dashboard UI without proper HTML sanitization. An attacker can exploit…

Overview CVE-2025-34262 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This flaw allows an authenticated attacker to inject malicious JavaScript code into device names, which is then executed in the browsers of other users interacting with the affected devices. This can lead to session hijacking and unauthorized actions, posing a significant security risk. Technical Details The vulnerability resides in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored without proper HTML sanitization. Subsequently, this unsanitized name is rendered in device listings or detail views within the WISE-DeviceOn…

Overview CVE-2025-34261 details a stored cross-site scripting (XSS) vulnerability found in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability resides within the /rmm/v1/devicegroups/ endpoint. It allows an authenticated attacker to inject malicious JavaScript code into device group names and descriptions. This code is then executed in the browser context of other users who interact with those device groups, leading to potential session compromise and unauthorized actions. Technical Details The vulnerability stems from a lack of proper HTML sanitization when rendering device group names and descriptions within the WISE-DeviceOn Server interface. Specifically, when an authenticated user creates a device group,…

Overview A stored cross-site scripting (XSS) vulnerability, identified as CVE-2025-34260, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an attacker to inject malicious script into the schedule name of an existing task. When other users view or interact with the affected schedule, the injected script executes within their browser context, potentially leading to session compromise and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/action/schedule endpoint. An authenticated user can add a schedule to an existing task through this endpoint. The schedule name provided by the user is stored in the system’s database…

Overview A significant security vulnerability, identified as CVE-2025-34259, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability is a stored cross-site scripting (XSS) flaw located within the /rmm/v1/devicemap/building endpoint. This allows attackers to inject malicious scripts into the application, potentially compromising user sessions and enabling unauthorized actions. Technical Details The vulnerability exists because the name parameter, used when creating a map entry via the /rmm/v1/devicemap/building endpoint, is not properly sanitized before being stored and rendered in the map list UI. An authenticated user with malicious intent can inject arbitrary HTML and JavaScript code into the name…

Overview CVE-2025-34258 describes a stored cross-site scripting (XSS) vulnerability found in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an authenticated attacker to inject malicious JavaScript code into the application, which can then be executed in the browser of other users, potentially leading to session hijacking, data theft, and other malicious activities. This poses a significant risk to organizations using the affected software. Technical Details The vulnerability exists in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored without proper HTML sanitization. This allows an attacker to insert…

Overview CVE-2025-34257 describes a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists within the /rmm/v1/action/defined endpoint. An authenticated attacker can inject malicious JavaScript code into the defined_name field when creating a task. This code is then stored by the server and executed in the browser of other users who view the task’s Overview page, leading to potential session hijacking and unauthorized actions. Technical Details The vulnerability stems from a lack of proper HTML sanitization of the defined_name value. When an authenticated user creates a new task within the WISE-DeviceOn Server, the provided…

Overview CVE-2025-34256 describes a critical vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability stems from the use of a hard-coded cryptographic key, specifically a static HS512 HMAC secret, used for signing EIRMMToken JWTs (JSON Web Tokens) across all installations. This allows a remote, unauthenticated attacker to forge JWTs, impersonate any DeviceOn account, including the root super admin, and gain complete control over the DeviceOn instance. Technical Details The core issue is the usage of a static, pre-defined HMAC secret for signing JWTs. This violates fundamental security principles. Because the secret is the same for all installations, an…

Overview CVE-2020-36882 describes a security vulnerability found in Flexsense DiskBoss version 7.7.14. This flaw allows unauthenticated attackers to upload arbitrary files to the system via the /Command/Search Files/Directory field. Successfully exploiting this vulnerability results in a denial of service (DoS) by crashing the DiskBoss application. Technical Details The vulnerability stems from insufficient input validation in the /Command/Search Files/Directory field. An attacker can send a crafted request to this endpoint, containing a malicious payload disguised as a directory or filename. Because the software doesn’t properly sanitize or validate the uploaded file, it attempts to process the malicious content, leading to an…

Overview CVE-2020-36881 describes a local buffer overflow vulnerability found in Flexsense DiskBoss version 7.7.14. This vulnerability resides in the ‘Input Directory’ component and allows an unauthenticated attacker to potentially execute arbitrary code on the affected system. The exploit is triggered by pasting a specially crafted directory path into the ‘Add Input Directory’ field. Technical Details The vulnerability is a classic buffer overflow. When a user attempts to add a new input directory using the ‘Add Input Directory’ field, the application fails to properly validate the length of the provided path. By providing a string exceeding the buffer’s allocated size, an…