Advantech Co Ltd Wise-Deviceon Server vulnerabilities
11 known vulnerabilities affecting advantech_co_ltd/wise-deviceon_server.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM10
Vulnerabilities
Page 1 of 1
CVE-2025-34256P2CRITICALCVSS 9.8fixed in 5.4.02025-12-05
CVE-2025-34256 [CRITICAL] CWE-321 CVE-2025-34256: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerab
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a hard-coded cryptographic key vulnerability. The product uses a static HS512 HMAC secret for signing EIRMMToken JWTs across all installations. The server accepts forged JWTs that need only contain a valid email claim, allowing a remote unauthenticated attacker to generate arbitrary toke
nvd
CVE-2025-34263P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34263 [MEDIUM] CWE-79 CVE-2025-34263: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML
nvd
CVE-2025-34261P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34261 [MEDIUM] CWE-79 CVE-2025-34261: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicegroups/ endpoint. When an authenticated user creates a device group, the name and description values are stored and later rendered in device group listings without proper HTML sanitation. An attacker can inject malicious
nvd
CVE-2025-34260P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34260 [MEDIUM] CWE-79 CVE-2025-34260: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitation. An attacker can inject malicious script int
nvd
CVE-2025-34266P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34266 [MEDIUM] CWE-79 CVE-2025-34266: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/addins/menus endpoint. When an authenticated user adds or edits an AddIns menu entry, the label and path values are stored in plugin configuration data and later rendered in the AddIns UI without proper HTML sani
nvd
CVE-2025-34262P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34262 [MEDIUM] CWE-79 CVE-2025-34262: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored and later rendered in device listings or detail views without proper HTML sanitation. An attacker can inject malicious
nvd
CVE-2025-34259P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34259 [MEDIUM] CWE-79 CVE-2025-34259: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/building endpoint. When an authenticated user creates a map entry, the name parameter is stored and later rendered in the map list UI without HTML sanitzation. An attacker can inject malicious script into the map ent
nvd
CVE-2025-34257P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34257 [MEDIUM] CWE-79 CVE-2025-34257: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/defined endpoint. When an authenticated user creates a task, the defined_name value is stored and later rendered in the Overview page without HTML sanitization. An attacker can inject malicious script into defined_name,
nvd
CVE-2025-34258P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34258 [MEDIUM] CWE-79 CVE-2025-34258: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/devicemap/plan endpoint. When an authenticated user adds an area to a map entry, the name parameter is stored and later rendered in the map list without HTML sanitization. An attacker can inject malicious script into the area
nvd
CVE-2025-34265P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34265 [MEDIUM] CWE-79 CVE-2025-34265: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/rule-engines endpoint. When an authenticated user creates or updates a rule for an agent, the rule fields min, max, and unit are stored and later rendered in rule listings or detail views without proper HTML sanitation. An att
nvd
CVE-2025-34264P4MEDIUMCVSS 5.4fixed in 5.42025-12-05
CVE-2025-34264 [MEDIUM] CWE-79 CVE-2025-34264: Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vul
Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/dog/{agentId} endpoint. When an authenticated user adds or edits Software Watchdog process rules for an agent, the monitored process name is stored in the settings array and later rendered in the Software Watchdog UI without p
nvd