CVE-2025-34263

Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via plugin-config/dashboards/menus

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

05 dic 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Productos afectados

Advantech Co., Ltd. · WISE-DeviceOn Server

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf https://docs.deviceon.advantech.com/docs/resource/https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-dashboards-menus