Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. The issue resides in the /rmm/v1/action/defined endpoint, where an authenticated user can create a task that includes a defined_name value. This value is stored and later displayed on the Overview page without proper HTML sanitization. As a result, an attacker could inject malicious scripts into the defined_name, which would be executed in the browser of users viewing the affected task. This exploitation could lead to session hijacking and unauthorized actions performed as the victim.

Impact

Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of other users' browsers. This could result in session hijacking, credential theft, or unauthorized actions being performed as the affected user.

Remediation

Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the Advantech DeviceOn official resource page.