Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. The issue resides in the /rmm/v1/devices/name/{agent_id} endpoint, where an authenticated user can rename a device. The new name is saved and later displayed in device listings or detail views without adequate HTML sanitization. This flaw allows an attacker to inject malicious scripts into the device name, which are executed in the browser of users who view or interact with the affected device. Such exploitation could lead to session hijacking and unauthorized actions on behalf of the victim.
Impact
Exploitation of this vulnerability allows for the injection of malicious scripts into device fields, which are then executed in the browsers of other users. This could result in session hijacking, credential theft, or unauthorized actions as the affected user.
Remediation
Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the official Advantech DeviceOn resource page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.