1. EXECUTIVE SUMMARY
- CVSS v4 8.7
- ATTENTION: Exploitable remotely/Low attack complexity
- Vendor: Advantech
- Equipment: DeviceOn/iEdge
- Vulnerabilities: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in a denial-of-service condition, remote code execution, or an attacker reading arbitrary files.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of DeviceOn/iEdge, an IoT management platform, is affected:
- DeviceOn/iEdge: Version 2.0.2 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation.
CVE-2025-64302 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-64302. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L).