CVE-2025-34261
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| advantech | wise-deviceon_server | to 5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /rmm/v1/devicegroups/ endpoint allows authenticated users to create device groups with name and description fields that contain malicious script code which is then rendered without proper HTML sanitization. Detection involves verifying if stored XSS payloads can be injected and executed in the browser context when viewing device group listings. Specific commands are not provided in the resources, but testing could involve using an authenticated session to POST or PUT device group data with script tags in the name or description fields and then observing if the script executes when the device group is viewed. [2]
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in Advantech WISE-DeviceOn Server versions prior to 5.4. It occurs in the /rmm/v1/devicegroups/ endpoint where an authenticated user can create a device group with a name and description that are stored without proper HTML sanitation. Malicious scripts injected into these fields are executed in the browsers of users who view or interact with the affected device group, potentially leading to session compromise and unauthorized actions.
How can this vulnerability impact me? :
The vulnerability can lead to session compromise and unauthorized actions performed by attackers in the context of affected users. This means attackers could hijack user sessions or perform actions on behalf of users who view or interact with the maliciously crafted device groups, potentially leading to data theft, manipulation, or other security breaches.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Advantech WISE-DeviceOn Server to version 5.4 or later, where this stored XSS vulnerability has been fixed by properly sanitizing the input fields. Until the update can be applied, restrict authenticated user permissions to prevent creation or modification of device groups, and educate users to avoid interacting with suspicious device group entries. [2]