CVE-2025-34266

Name of the Vulnerable Software and Affected Versions Advantech WISE-DeviceOn Server versions prior to 5.4

Description The software contains a stored cross-site scripting (XSS) issue in the /rmm/v1/plugin-config/addins/menus API endpoint. An authenticated user adding or editing an AddIns menu entry can inject malicious script into the label and path values. These values are stored in plugin configuration data and rendered in the AddIns UI without proper HTML sanitation. This allows an attacker to execute script in the browser context of users viewing or interacting with the affected AddIns entry, potentially leading to session compromise and unauthorized actions.

Recommendations Update to version 5.4 or later. As a temporary workaround, carefully sanitize all input to the label and path parameters when adding or editing AddIns menu entries.