CVE-2025-34260

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/action/schedule API endpoint. An attacker can inject malicious script into the schedule name when an authenticated user adds a schedule to an existing task. This script is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling session compromise and unauthorized actions as the victim, due to a lack of HTML sanitation when rendering schedule listings. The vulnerable parameter is the schedule name.

Recommendations Update to version 5.4 or later.