CVE-2025-34258

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/devicemap/plan API endpoint. An attacker can inject malicious script into the name parameter when an authenticated user adds an area to a map entry. This script is then executed in the browser context of users who view or interact with the affected map entry, potentially leading to session compromise and unauthorized actions. The issue occurs because the name parameter is stored and rendered without proper HTML sanitization.

Recommendations Update to version 5.4 or later.