CVE-2025-34257

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/action/defined API endpoint. An attacker can inject malicious script into the defined name variable when an authenticated user creates a task. This script is then executed in the browser context of users who view the affected task, potentially leading to session compromise and unauthorized actions. The issue occurs because the defined name value is stored and rendered in the Overview page without proper HTML sanitization.

Recommendations Update to version 5.4 or later.