Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. The issue resides in the /rmm/v1/devicemap/plan endpoint, where the name parameter is saved without proper HTML sanitization. This allows authenticated users to inject malicious scripts into area names, which are then executed in the browsers of users who view the affected map entry. Such exploitation could lead to session hijacking and unauthorized actions on behalf of the victim.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected map entry. This could result in session hijacking, credential theft, or unauthorized actions as the victim.
Remediation
Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the official Advantech DeviceOn resource page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.