CVE-2025-34263
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-17

Assigner: VulnCheck

Description
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-17
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34263
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
advantech wise-deviceon_server to 5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection involves identifying if the /rmm/v1/plugin-config/dashboards/menus endpoint is accessible and if dashboard entries contain malicious scripts in the label or path fields. Since the vulnerability requires authenticated access, monitoring HTTP requests to this endpoint for suspicious input patterns (e.g., script tags) can help. There are no specific commands provided in the resources. However, you can use tools like curl or Burp Suite to authenticate and query the endpoint, then inspect responses for unsanitized script content. For example, a curl command to fetch dashboard menus after authentication might be used, but exact commands are not provided. [3]

Mitigation Strategies

The immediate mitigation step is to update Advantech WISE-DeviceOn Server to version 5.4 or later, where the vulnerability has been fixed. Until the update is applied, restrict access to the affected endpoint to trusted users only, and monitor for suspicious activity. Avoid allowing untrusted users to add or edit dashboard entries to prevent exploitation. [3]

Executive Summary

This vulnerability is a stored cross-site scripting (XSS) issue in Advantech WISE-DeviceOn Server versions prior to 5.4. It occurs in the /rmm/v1/plugin-config/dashboards/menus endpoint where an authenticated user can add or edit dashboard entries. The label and path values are stored without proper HTML sanitation and later rendered in the dashboard UI. An attacker can inject malicious scripts into these fields, which execute in the browsers of users who view or interact with the affected dashboard.

Impact Analysis

The vulnerability can lead to session compromise and unauthorized actions performed as the victim user. Since the malicious script executes in the context of the victim's browser, attackers may steal session tokens, perform actions on behalf of the user, or access sensitive information accessible through the dashboard interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart