CVE-2025-34265

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/rule-engines API endpoint. An authenticated user creating or updating a rule for an agent can inject malicious script into the min, max, and unit rule fields. This script is then executed in the browser context of users viewing or interacting with the affected rule, potentially leading to session compromise and unauthorized actions. The issue occurs because the rule fields are stored and rendered without proper HTML sanitation.

Recommendations Update Advantech WISE-DeviceOn Server to version 5.4 or later.