Summary

Digi On-Prem Manager did not consistently escape some device-reported, enrollment, audit-log, and security-log values before showing them in the web interface. A party able to influence one of these values, for example a managed device reporting configuration data or command output, could store content that was interpreted as markup when an operator viewed the affected dashboard, configuration, command-output, audit-log, or security-log view.

Mitigations

The dashboard ships a Content Security Policy that allows scripts only from the application origin with a per-response nonce, and forbids inline scripts and eval. Injected <script> blocks and inline event handlers therefore do not execute. In practice this limits real-world impact to HTML and CSS markup injection in an operator’s view (for example layout disruption or misleading content) rather than script execution, session theft, or data exfiltration. Until the update is applied, restrict dashboard and DX access to trusted users and devices.

Solution

Update to Digi On-Prem Manager v26.06 or later. Device-reported, enrollment, audit-log, security-log, and command-output values are now escaped for their output context in every affected view.

Affected Versions

Digi On-Prem Manager versions before v26.06 are affected.