CVE-2021-21803: 
Advantech R-SeeNet vulnerability analysis and mitigation

CVE-2021-21803 is a cross-site scripting (XSS) vulnerability discovered in Advantech R-SeeNet version 2.4.12 (20.10.2020). The vulnerability exists in the devicegraphpage.php script, specifically in the handling of the is2sim parameter. The vulnerability was disclosed on July 15, 2021, affecting the R-SeeNet web applications, which is a software system used for monitoring Advantech routers (Talos Report).

The vulnerability stems from improper input validation in the devicegraphpage.php script. When processing the is2sim parameter, the script fails to sanitize user input in the context of XSS payload. The unsanitized input is then directly embedded into HTML code at Line 64. The vulnerability has been assigned a CVSS v3.0 score of 9.6 (CRITICAL) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. It is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (Talos Report).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the targeted user's browser. The vulnerability is particularly concerning as it does not require the victim to be logged into the application to be affected. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (Talos Report).

The vulnerability was reported to the vendor on March 11, 2021, followed by an advisory to CISA on March 14, 2021. After multiple follow-ups with no response from the vendor, the vulnerability was publicly disclosed on July 15, 2021. Users of affected systems should implement proper input validation and sanitization for the is2sim parameter in the devicegraphpage.php script (Talos Report).