Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists in the /rmm/v1/action/schedule endpoint, where schedule names are saved and later displayed without proper HTML sanitation. An authenticated user can inject malicious scripts into the schedule name, which are then executed in the browser of users who view or interact with the schedule. This could lead to session hijacking and unauthorized actions on behalf of the victim.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected schedule. This could result in session hijacking, credential theft, or unauthorized actions being performed as the victim.
Remediation
Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the official Advantech DeviceOn resource page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.