CVE-2025-54378 (GCVE-0-2025-54378)
Vulnerability from cvelistv5
Published
2025-07-26 03:27
Modified
2025-07-28 19:01
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
CWE
Summary
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.
References
security-advisories@github.comhttps://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969Patch
security-advisories@github.comhttps://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfdPatch
security-advisories@github.comhttps://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894Exploit, Third Party Advisory
Impacted products
Vendor Product Version
haxtheweb issues Version: < 11.0.14
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-54378",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T19:01:21.403243Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T19:01:27.428Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "issues",
          "vendor": "haxtheweb",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 11.0.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-26T03:27:34.305Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
        },
        {
          "name": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"
        },
        {
          "name": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"
        }
      ],
      "source": {
        "advisory": "GHSA-9jr9-8ff3-m894",
        "discovery": "UNKNOWN"
      },
      "title": "HAX CMS Backend Lacks Comprehensive Authorization Checks"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-54378",
    "datePublished": "2025-07-26T03:27:34.305Z",
    "dateReserved": "2025-07-21T16:12:20.733Z",
    "dateUpdated": "2025-07-28T19:01:27.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-54378\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-26T04:16:05.967\",\"lastModified\":\"2025-08-21T20:54:52.883\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.\"},{\"lang\":\"es\",\"value\":\"HAX CMS permite gestionar el universo de micrositios con backends PHP o NodeJs. En las versiones 11.0.13 y anteriores de haxcms-nodejs y 11.0.8 y anteriores de haxcms-php, los endpoints de la API no realizan comprobaciones de autorizaci\u00f3n al interactuar con un recurso. Tanto la versi\u00f3n JS como la PHP del CMS no verifican que un usuario tenga permiso para interactuar con un recurso antes de realizar una operaci\u00f3n. Los endpoints de la API dentro de la aplicaci\u00f3n HAX CMS comprueban si un usuario est\u00e1 autenticado, pero no comprueban la autorizaci\u00f3n antes de realizar una operaci\u00f3n. Esto se ha corregido en las versiones 11.0.14 de haxcms-nodejs y 11.0.9 de haxcms-php.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"11.0.14\",\"matchCriteriaId\":\"3129AEF5-B4C5-4694-AE1F-9A402890B1E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.0.9\",\"matchCriteriaId\":\"1A74B72F-D438-44F9-9A3D-53CE9D8487A4\"}]}]}],\"references\":[{\"url\":\"https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54378\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T19:01:21.403243Z\"}}}], \"references\": [{\"url\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T19:01:15.163Z\"}}], \"cna\": {\"title\": \"HAX CMS Backend Lacks Comprehensive Authorization Checks\", \"source\": {\"advisory\": \"GHSA-9jr9-8ff3-m894\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"haxtheweb\", \"product\": \"issues\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 11.0.14\"}]}], \"references\": [{\"url\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894\", \"name\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969\", \"name\": \"https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd\", \"name\": \"https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285: Improper Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-26T03:27:34.305Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-54378\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T19:01:27.428Z\", \"dateReserved\": \"2025-07-21T16:12:20.733Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-26T03:27:34.305Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.