CVE-2025-34261

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/devicegroups/ API endpoint. An attacker can inject malicious script into the name and description fields when creating a device group. This script is then executed in the browser of users who view the affected device group, potentially leading to session compromise and unauthorized actions. The issue occurs because the software does not properly sanitize HTML when storing and rendering these values in device group listings.

Recommendations Update to version 5.4 or later.