Advantech WISE-DeviceOn Server Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability exists in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are saved in the plugin configuration data and later displayed in the AddIns user interface without adequate HTML sanitization. This allows an attacker to inject malicious scripts into either field, which are then executed in the browser context of users who view or interact with the affected AddIns entry. Such exploitation could lead to session hijacking and unauthorized actions on behalf of the victim.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions.
Remediation
Users are advised to update to WISE-DeviceOn Server version 5.4 or later. The update is available on the Advantech DeviceOn resource page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.