11 matches found
CVE-2025-34256
Advantech WISE-DeviceOn Server (prior to 5.4) uses a static HS512 HMAC secret to sign EIRMMToken JWTs, enabling forged tokens with a valid email claim. This allows remote, unauthenticated attackers to impersonate any DeviceOn account, including the root super admin, and obtain full administrative...
CVE-2025-34257
The CVE-2025-34257 entry concerns Advantech WISE-DeviceOn Server (versions prior to 5.4). A stored XSS exists in the /rmm/v1/action/defined endpoint: when an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. The ...
CVE-2025-34265
Advantech WISE-DeviceOn Server (prior to version 5.4) exposes a stored XSS in the /rmm/v1/rule-engines endpoint. When an authenticated user creates/updates a rule, the min, max, and unit fields are stored and later rendered without proper HTML sanitization, allowing injected script to run in the ...
CVE-2025-34264
Advantech WISE-DeviceOn Server (pre-5.4) is vulnerable to an authenticated stored XSS via the /rmm/v1/dog/{agentId} endpoint. When a user adds/edits Software Watchdog rules for an agent, the monitored process name is stored in a settings array and rendered in the Software Watchdog UI without prop...
CVE-2025-34258
Advantech WISE-DeviceOn Server
CVE-2025-34266
Advantech WISE-DeviceOn Server versions prior to 5.4 are affected by a stored XSS in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds/edits an AddIns menu entry, the label and path are stored in plugin configuration data and later rendered in the AddIns UI without ...
CVE-2025-34260
Affected product: Advantech WISE-DeviceOn Server prior to 5.4. Vulnerability: Authenticated stored XSS via /rmm/v1/action/schedule when a schedule name is stored and later rendered without HTML escaping. Root cause: Lack of proper input validation/escaping for user-supplied data at the schedule e...
CVE-2025-34261
CVE-2025-34261 affects Advantech WISE-DeviceOn Server (versions prior to 5.4). The vulnerability is a stored XSS in the /rmm/v1/devicegroups/ endpoint: when an authenticated user creates a device group, the name/description are stored and later rendered without proper HTML sanitation. An attacker...
CVE-2025-34262
Advantech WISE-DeviceOn Server has a stored XSS in /rmm/v1/devices/name/{agent_id} affecting versions prior to 5.4. An authenticated user can rename a device; the new_name is stored and later rendered in listings/details without HTML escaping, allowing injected script to run in the browser contex...
CVE-2025-34259
Advantech WISE-DeviceOn Server (pre-5.4) is affected by a stored XSS in the /rmm/v1/devicemap/building endpoint. The issue arises from unfiltered/store of the map entry name which is later rendered in the map list UI without HTML sanitization, enabling an attacker to inject script that runs in th...
CVE-2025-34263
CVE-2025-34263 : Advantech WISE-DeviceOn Server versions prior to 5.4 suffer an authenticated stored XSS in the /rmm/v1/plugin-config/dashboards/menus endpoint. When a user adds/edits a dashboard entry, the label and path are stored in plugin configuration data and rendered in the dashboard UI wi...