Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is saved in the settings array and later displayed in the Software Watchdog user interface without adequate HTML sanitization. This lack of proper input handling allows an attacker to inject malicious scripts into the process name. These scripts are executed in the browser context of users who view or interact with the affected rules, potentially leading to session hijacking and unauthorized actions on behalf of the victim.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user’s browser, potentially leading to session hijacking and unauthorized actions.

Remediation

Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the official Advantech DeviceOn resource page.