CVE-2025-34264

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/dog/{agentId} API endpoint. An authenticated user adding or editing Software Watchdog process rules for an agent allows an attacker to inject malicious script into the process name. This script is then executed in the browser context of users viewing or interacting with the affected rules, potentially leading to session compromise and unauthorized actions. The vulnerable parameter is the monitored process name, which is stored in the settings array and rendered in the Software Watchdog UI without proper HTML sanitation.

Recommendations Update to version 5.4 or later. As a temporary workaround, sanitize all user-supplied input for the monitored process name before storing it in the settings array.