关键信息 漏洞名称 Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via action/schedule 严重性 Medium 日期 December 5, 2025 CVE CVE-2025-34260 CWE CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-Site Scripting') CVSS V4 Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N 参考资料 Advantech Security Advisory DeviceOn Software Download 发现者 Alex Williams from Pellera Technologies 描述 Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/action/schedule endpoint. When an authenticated user adds a schedule to an existing task, the schedule name is stored and later rendered in schedule listings without HTML sanitization. An attacker can inject malicious script into the schedule name, which is then executed in the browser context of users who view or interact with the affected schedule, potentially enabling session compromise and unauthorized actions as the victim.