Vulnerabilites related to psu - haxcms-php
Vulnerability from fkie_nvd
Published
2025-07-26 04:16
Modified
2025-08-21 20:54
Severity ?
Summary
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "3129AEF5-B4C5-4694-AE1F-9A402890B1E5",
"versionEndExcluding": "11.0.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1A74B72F-D438-44F9-9A3D-53CE9D8487A4",
"versionEndExcluding": "11.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php."
},
{
"lang": "es",
"value": "HAX CMS permite gestionar el universo de micrositios con backends PHP o NodeJs. En las versiones 11.0.13 y anteriores de haxcms-nodejs y 11.0.8 y anteriores de haxcms-php, los endpoints de la API no realizan comprobaciones de autorizaci\u00f3n al interactuar con un recurso. Tanto la versi\u00f3n JS como la PHP del CMS no verifican que un usuario tenga permiso para interactuar con un recurso antes de realizar una operaci\u00f3n. Los endpoints de la API dentro de la aplicaci\u00f3n HAX CMS comprueban si un usuario est\u00e1 autenticado, pero no comprueban la autorizaci\u00f3n antes de realizar una operaci\u00f3n. Esto se ha corregido en las versiones 11.0.14 de haxcms-nodejs y 11.0.9 de haxcms-php."
}
],
"id": "CVE-2025-54378",
"lastModified": "2025-08-21T20:54:52.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-26T04:16:05.967",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-09 21:15
Modified
2025-07-30 17:36
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8 | Patch | |
| security-advisories@github.com | https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7 | Exploit, Issue Tracking, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BFE3138D-BCD5-4DF5-BB74-90A34118051F",
"versionEndExcluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A72C09C8-71A3-4B4F-BA0E-CF75016F5112",
"versionEndExcluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue."
},
{
"lang": "es",
"value": "HAX CMS PHP permite a los usuarios gestionar su universo de micrositios con un backend PHP. Antes de la versi\u00f3n 11.0.0, la aplicaci\u00f3n no depuraba adecuadamente la entrada del usuario, lo que permit\u00eda la ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario. Los endpoints \"saveNode\" y \"saveManifest\" reciben la entrada del usuario y la almacenan en el esquema JSON del sitio. Este contenido se renderiza en el sitio HAX generado. Aunque la aplicaci\u00f3n no permite a los usuarios proporcionar una etiqueta `script`, s\u00ed permite el uso de otras etiquetas HTML para ejecutar JavaScript. La versi\u00f3n 11.0.0 soluciona este problema."
}
],
"id": "CVE-2025-49137",
"lastModified": "2025-07-30T17:36:14.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-06-09T21:15:46.890",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
},
{
"lang": "en",
"value": "CWE-87"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-11 18:15
Modified
2025-08-22 16:52
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/haxtheweb/issues/security/advisories/GHSA-g4f5-5w5j-p5jg | Third Party Advisory, Issue Tracking |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C760A93C-A6C5-457F-9913-4CFFBC00E20E",
"versionEndExcluding": "11.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17EB8163-34F7-4A85-BC57-B0050F8A2AA6",
"versionEndExcluding": "11.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user\u0027s session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6."
},
{
"lang": "es",
"value": "haxcms-nodejs y haxcms-php son backends para HAXcms. La funci\u00f3n de cierre de sesi\u00f3n de la aplicaci\u00f3n no cierra la sesi\u00f3n del usuario ni borra sus cookies. Adem\u00e1s, la aplicaci\u00f3n emite un token de actualizaci\u00f3n al cerrar sesi\u00f3n. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 11.0.6."
}
],
"id": "CVE-2025-53642",
"lastModified": "2025-08-22T16:52:08.603",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-11T18:15:35.123",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory",
"Issue Tracking"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4f5-5w5j-p5jg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-23 00:15
Modified
2025-08-22 15:19
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "CAF3C36E-9946-4D22-9235-230C05946065",
"versionEndExcluding": "11.0.13",
"versionStartIncluding": "11.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4C45E1F5-8FEA-4A56-8993-1C1E737A0226",
"versionEndExcluding": "11.0.8",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8."
},
{
"lang": "es",
"value": "HAX CMS permite a los usuarios gestionar su universo de micrositios con un backend NodeJS o PHP. En las versiones 11.0.12 y anteriores de haxcms-nodejs y 11.0.7 y anteriores de haxcms-php, ninguna p\u00e1gina de la aplicaci\u00f3n HAX CMS contiene encabezados para impedir que otros sitios web la carguen dentro de un iframe. Esto aplica tanto al CMS como a los sitios generados. Un atacante no autenticado puede cargar la p\u00e1gina de inicio de sesi\u00f3n independiente u otra funcionalidad sensible dentro de un iframe, realizando un ataque de correcci\u00f3n de la interfaz de usuario (clickjacking). Esto puede utilizarse para realizar ataques de ingenier\u00eda social que intenten obligar a los usuarios a realizar acciones no deseadas dentro de la aplicaci\u00f3n HAX CMS. Esto se ha corregido en las versiones 11.0.13 y 11.0.8 de haxcms-nodejs y 11.0.8 de haxcms-php."
}
],
"id": "CVE-2025-54139",
"lastModified": "2025-08-22T15:19:58.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-23T00:15:25.737",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/777f9a7ff9675a160496f350d766df1f1f9b9b99"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/708dc8518928fe307044e67bff8b0f397cfdd606"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-08 16:15
Modified
2025-07-30 17:36
Severity ?
Summary
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p | Exploit, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11087C13-9FD6-46A6-95D3-379EA1B30DEB",
"versionEndExcluding": "10.0.3",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a \u2019save\u2019 function in \u2019HAXCMSFile.php\u2019. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks \u2019.php\u2019, \u2019.sh\u2019, \u2019.js\u2019, and \u2019.css\u2019 files. The existing logic causes the system to \"fail open\" rather than \"fail closed.\" This vulnerability is fixed in 10.0.3."
},
{
"lang": "es",
"value": "HAX CMS PHP le permite gestionar su universo de micrositios con un backend PHP. Varias funciones de carga de archivos dentro de la aplicaci\u00f3n HAX CMS PHP llaman a una funci\u00f3n de \"guardar\" en \"HAXCMSFile.php\". Esta funci\u00f3n de \"guardar\" utiliza una lista de denegados para impedir que se carguen al servidor tipos espec\u00edficos de archivo. Esta lista no es exhaustiva y solo bloquea los archivos \".php\", \".sh\", \".js\" y \".css\". La l\u00f3gica existente provoca que el sistema \"fallo abrir\" en lugar de \"fallo cerrar\". Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 10.0.3."
}
],
"id": "CVE-2025-32028",
"lastModified": "2025-07-30T17:36:18.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-04-08T16:15:28.180",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-09 21:15
Modified
2025-07-30 17:35
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BFE3138D-BCD5-4DF5-BB74-90A34118051F",
"versionEndExcluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A72C09C8-71A3-4B4F-BA0E-CF75016F5112",
"versionEndExcluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client\u0027s browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue."
},
{
"lang": "es",
"value": "HAX CMS PHP permite a los usuarios gestionar su universo de micrositios con un backend PHP. Antes de la versi\u00f3n 11.0.0, en el editor de sitios HAX, los usuarios pod\u00edan crear un bloque de sitio web para cargar otro sitio en un iframe. La aplicaci\u00f3n permite introducir una URL de destino en el bloque de sitio web. Al visitar el sitio HAX, el navegador del cliente consultar\u00e1 la URL proporcionada. Un atacante autenticado puede crear un sitio HAX con un bloque de sitio web que apunte a un servidor controlado por el atacante que ejecute Responder o una herramienta similar. Posteriormente, el atacante puede realizar un ataque de phishing convenciendo a otro usuario de que visite su sitio HAX malicioso para obtener credenciales. La versi\u00f3n 11.0.0 incluye un parche para este problema."
}
],
"id": "CVE-2025-49139",
"lastModified": "2025-07-30T17:35:58.530",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-06-09T21:15:47.203",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-09 21:15
Modified
2025-07-30 17:36
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/haxtheweb/haxcms-nodejs/commit/5131fea6b6be611db76a618f89bd2e164752e9b3 | Patch | |
| security-advisories@github.com | https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw | Exploit, Issue Tracking, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "42D865D7-81C8-45CD-AC00-FC519C682207",
"versionEndExcluding": "11.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A72C09C8-71A3-4B4F-BA0E-CF75016F5112",
"versionEndExcluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue."
},
{
"lang": "es",
"value": "HAX CMS PHP permite a los usuarios gestionar su universo de micrositios con un backend PHP. Antes de la versi\u00f3n 11.0.3, la funci\u00f3n `gitImportSite` obten\u00eda una URL de una solicitud POST y no validaba adecuadamente la entrada del usuario. La funci\u00f3n `set_remote` posteriormente pasa esta entrada a `proc_open`, lo que provoca la inyecci\u00f3n de comandos del sistema operativo. Un atacante autenticado puede manipular una URL que omita las comprobaciones de validaci\u00f3n empleadas por las funciones `filter_var` y `strpos` para ejecutar comandos arbitrarios del sistema operativo en el servidor backend. El atacante puede extraer la salida del comando mediante una solicitud HTTP. La versi\u00f3n 11.0.3 incluye un parche para este problema."
}
],
"id": "CVE-2025-49141",
"lastModified": "2025-07-30T17:36:08.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-06-09T21:15:47.360",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5131fea6b6be611db76a618f89bd2e164752e9b3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-09 21:15
Modified
2025-07-30 17:35
Severity ?
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A72C09C8-71A3-4B4F-BA0E-CF75016F5112",
"versionEndExcluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site\u0027s outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue."
}
],
"id": "CVE-2025-49138",
"lastModified": "2025-07-30T17:35:54.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-09T21:15:47.047",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php#L1248"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-73"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-49141 (GCVE-0-2025-49141)
Vulnerability from cvelistv5
Published
2025-06-09 21:11
Modified
2025-06-10 15:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw | x_refsource_CONFIRM | |
| https://github.com/haxtheweb/haxcms-nodejs/commit/5131fea6b6be611db76a618f89bd2e164752e9b3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49141",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:09:25.929196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:29:29.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T21:11:08.889Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4cf-pp4x-hqgw"
},
{
"name": "https://github.com/haxtheweb/haxcms-nodejs/commit/5131fea6b6be611db76a618f89bd2e164752e9b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5131fea6b6be611db76a618f89bd2e164752e9b3"
}
],
"source": {
"advisory": "GHSA-g4cf-pp4x-hqgw",
"discovery": "UNKNOWN"
},
"title": "HaxCMS-PHP Command Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49141",
"datePublished": "2025-06-09T21:11:08.889Z",
"dateReserved": "2025-06-02T10:39:41.634Z",
"dateUpdated": "2025-06-10T15:29:29.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49139 (GCVE-0-2025-49139)
Vulnerability from cvelistv5
Published
2025-06-09 21:08
Modified
2025-06-10 15:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88 | x_refsource_CONFIRM | |
| https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49139",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:09:50.317285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:29:40.105Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client\u0027s browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T21:08:44.391Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88"
},
{
"name": "https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5"
}
],
"source": {
"advisory": "GHSA-v3ph-2q5q-cg88",
"discovery": "UNKNOWN"
},
"title": "@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49139",
"datePublished": "2025-06-09T21:08:44.391Z",
"dateReserved": "2025-06-02T10:39:41.634Z",
"dateUpdated": "2025-06-10T15:29:40.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49137 (GCVE-0-2025-49137)
Vulnerability from cvelistv5
Published
2025-06-09 21:00
Modified
2025-06-10 15:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7 | x_refsource_CONFIRM | |
| https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49137",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:11:53.685905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:09.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T21:00:15.808Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
},
{
"name": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
}
],
"source": {
"advisory": "GHSA-2vc4-3hx7-v7v7",
"discovery": "UNKNOWN"
},
"title": "Hax CMS Stored Cross-Site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49137",
"datePublished": "2025-06-09T21:00:15.808Z",
"dateReserved": "2025-06-02T10:39:41.634Z",
"dateUpdated": "2025-06-10T15:30:09.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53642 (GCVE-0-2025-53642)
Vulnerability from cvelistv5
Published
2025-07-11 17:33
Modified
2025-07-14 14:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-613 - Insufficient Session Expiration
Summary
haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/haxtheweb/issues/security/advisories/GHSA-g4f5-5w5j-p5jg | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T14:17:42.685169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T14:17:55.724Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user\u0027s session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T17:33:05.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4f5-5w5j-p5jg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-g4f5-5w5j-p5jg"
}
],
"source": {
"advisory": "GHSA-g4f5-5w5j-p5jg",
"discovery": "UNKNOWN"
},
"title": "haxcms-nodejs and haxcms-php Improperly Terminate Sessions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53642",
"datePublished": "2025-07-11T17:33:05.861Z",
"dateReserved": "2025-07-07T14:20:38.391Z",
"dateUpdated": "2025-07-14T14:17:55.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54378 (GCVE-0-2025-54378)
Vulnerability from cvelistv5
Published
2025-07-26 03:27
Modified
2025-07-28 19:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54378",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T19:01:21.403243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T19:01:27.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:27:34.305Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
},
{
"name": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"
},
{
"name": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"
}
],
"source": {
"advisory": "GHSA-9jr9-8ff3-m894",
"discovery": "UNKNOWN"
},
"title": "HAX CMS Backend Lacks Comprehensive Authorization Checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54378",
"datePublished": "2025-07-26T03:27:34.305Z",
"dateReserved": "2025-07-21T16:12:20.733Z",
"dateUpdated": "2025-07-28T19:01:27.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-49138 (GCVE-0-2025-49138)
Vulnerability from cvelistv5
Published
2025-06-09 21:05
Modified
2025-06-10 15:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49138",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:10:20.341839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:29:50.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site\u0027s outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T21:05:23.245Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-hxrr-x32w-cg8g"
},
{
"name": "https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php#L1248",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php#L1248"
}
],
"source": {
"advisory": "GHSA-hxrr-x32w-cg8g",
"discovery": "UNKNOWN"
},
"title": "HAX CMS vulnerable to Local File Inclusion via saveOutline API Location Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49138",
"datePublished": "2025-06-09T21:05:23.245Z",
"dateReserved": "2025-06-02T10:39:41.634Z",
"dateUpdated": "2025-06-10T15:29:50.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54139 (GCVE-0-2025-54139)
Vulnerability from cvelistv5
Published
2025-07-22 23:24
Modified
2025-07-23 14:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Summary
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54139",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-23T14:53:34.260791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T14:53:40.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.13"
},
{
"status": "affected",
"version": "\u003c 11.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-22T23:24:13.334Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j"
},
{
"name": "https://github.com/haxtheweb/haxcms-nodejs/commit/777f9a7ff9675a160496f350d766df1f1f9b9b99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/777f9a7ff9675a160496f350d766df1f1f9b9b99"
},
{
"name": "https://github.com/haxtheweb/haxcms-php/commit/708dc8518928fe307044e67bff8b0f397cfdd606",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/708dc8518928fe307044e67bff8b0f397cfdd606"
}
],
"source": {
"advisory": "GHSA-54vw-f4xf-f92j",
"discovery": "UNKNOWN"
},
"title": "HAX CMS\u0027 application pages are vulnerable to clickjacking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54139",
"datePublished": "2025-07-22T23:24:13.334Z",
"dateReserved": "2025-07-16T23:53:40.510Z",
"dateUpdated": "2025-07-23T14:53:40.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32028 (GCVE-0-2025-32028)
Vulnerability from cvelistv5
Published
2025-04-08 16:06
Modified
2025-04-08 20:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a ’save’ function in ’HAXCMSFile.php’. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks ’.php’, ’.sh’, ’.js’, and ’.css’ files. The existing logic causes the system to "fail open" rather than "fail closed." This vulnerability is fixed in 10.0.3.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-08T20:00:29.017786Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T20:00:56.916Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 10.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows you to manage your microsite universe with PHP backend. Multiple file upload functions within the HAX CMS PHP application call a \u2019save\u2019 function in \u2019HAXCMSFile.php\u2019. This save function uses a denylist to block specific file types from being uploaded to the server. This list is non-exhaustive and only blocks \u2019.php\u2019, \u2019.sh\u2019, \u2019.js\u2019, and \u2019.css\u2019 files. The existing logic causes the system to \"fail open\" rather than \"fail closed.\" This vulnerability is fixed in 10.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-08T16:06:33.976Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-vj5q-3jv2-cg5p"
}
],
"source": {
"advisory": "GHSA-vj5q-3jv2-cg5p",
"discovery": "UNKNOWN"
},
"title": "HAX CMS PHP allows Insecure File Upload to Lead to Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32028",
"datePublished": "2025-04-08T16:06:33.976Z",
"dateReserved": "2025-04-01T21:57:32.957Z",
"dateUpdated": "2025-04-08T20:00:56.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}