CVE-2021-21801

Vulnerability

The vulnerability resides in the device_graph_page.php script of Advantech R-SeeNet version 2.4.12 (20.10.2020). The script accepts a graph GET parameter [1]. On line 64, the unvalidated value is embedded directly into an ` tag's src` attribute without sanitization, enabling cross-site scripting (XSS) [1].

Exploitation

An attacker crafts a URL containing a malicious payload in the graph parameter, e.g. graph=%22zlo%20onerror=alert(1)%20%22. The attacker then social‑engineers a victim with a valid session to visit the crafted link. No prior authentication or network position is required beyond web access to the R-SeeNet instance [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session theft, credential exfiltration, or arbitrary actions within the R-SeeNet application in the victim's session [1].

Mitigation

As of the published advisory (July 2021), no vendor patch or fixed version had been announced. Users should restrict access to the R-SeeNet web interface to trusted networks and consider applying input validation or a web application firewall rule to block suspicious graph parameter values [1]. CVE-2021-21801 is not listed in CISA's Known Exploited Vulnerabilities catalog.