Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists in the /rmm/v1/devicemap/building endpoint, where the name parameter of a map entry created by an authenticated user is stored and later displayed in the map list UI without proper HTML sanitization. This lack of sanitization allows an attacker to inject malicious scripts into the map entry name, which are then executed in the browser context of users who view or interact with the affected map entry. Such exploitation could lead to session compromise and unauthorized actions on behalf of the victim.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected map entry. This could result in session hijacking, credential theft, or unauthorized actions being performed as the victim.

Remediation

Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the Advantech DeviceOn official website.