CVE-2021-21802: 
Advantech R-SeeNet vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability exists in the device_graph_page.php script of Advantech R-SeeNet version 2.4.12 (20.10.2020). The vulnerability, identified as CVE-2021-21802, was discovered in July 2021 and affects the device_id parameter of the application. When a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user's browser (Talos Report).

The vulnerability exists in the device_graph_page.php script, which accepts a device_id parameter without proper sanitization. When this parameter is processed, the value from the user is embedded directly into the HTML code. The vulnerability has received a CVSS v3.1 base score of 6.1 MEDIUM from NIST NVD, while Talos assigned it a more severe CVSS v3.0 score of 9.6 CRITICAL. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Talos Report).

If successfully exploited, the vulnerability allows an attacker to execute arbitrary JavaScript code in the victim's browser. Notably, the victim does not need to be logged into the application to be affected by this vulnerability, making it particularly dangerous. The vulnerability can lead to theft of sensitive information, session hijacking, or other malicious actions within the context of the user's browser (Talos Report).

The vulnerability was disclosed to the vendor on March 11, 2021, with follow-ups on April 13 and June 7, 2021. After no response from the vendor, the vulnerability was publicly disclosed on July 15, 2021. No official patch or mitigation strategy has been published by the vendor (Talos Report).