Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists in the /rmm/v1/rule-engines endpoint, where rule fields such as min, max, and unit are not properly sanitized before being displayed. An authenticated user can inject malicious scripts into these fields, which are then executed in the browser of users who view the affected rule. This could lead to session hijacking and unauthorized actions on behalf of the victim.
Impact
Exploitation of this vulnerability allows for the injection of malicious scripts that are executed in the context of the user's browser, potentially leading to session hijacking and unauthorized actions.
Remediation
Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the Advantech DeviceOn resource page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.