ghsa-9jr9-8ff3-m894
Vulnerability from github
Published
2025-07-25 20:10
Modified
2025-07-28 13:04
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Summary
HAX CMS API Lacks Authorization Checks
Details

Summary

The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation.

Details

The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation.

Affected Resources

Note: This may not include all affected endpoints within the application.

Impact

An authenticated attacker can make requests to interact with other users' sites. This can be used to enumerate, modify, and delete other users' sites and nodes.

Additionally, an authenticated attacker can use the 'getConfig' endpoint to pull the application's configuration, which may store cleartext credentials.

PoC - /deleteNode

  1. Browse to the 'site.json' file for a target site, and note the ID of the item to delete.

image

  1. Make a POST request to the 'deleteNode' endpoint with a valid JWT and the target object ID.

image

Site before editing:

image

Site after editing:

image

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "elmsln/haxcms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T20:10:22Z",
    "nvd_published_at": "2025-07-26T04:16:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation.\n\n### Details\n\nThe API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation.\n\n#### Affected Resources\n\n- [Operations.php: 760](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L760) `createNode()`\n- [Operations.php: 868](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L868) `saveNode()`\n- [Operations.php: 1171](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1171) `deleteNode()`\n- [Operations.php: 1789](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1789) `listSites()`\n- [Operations.php: 1890](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1890) `createSite()`\n- [Operations.php: 2196](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2195) `getConfig()`\n- [Operations.php: 2389](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2389) `cloneSite()`\n- [Operations.php: 2467](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2467) `deleteSite()`\n- [Operations.php: 2524](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2524) `downloadSite()`\n- [Operations.php: 2607](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2606) `archiveSite()`\n\n\n_Note: This may not include all affected endpoints within the application._\n\n### Impact\n\nAn authenticated attacker can make requests to interact with other users\u0027 sites. This can be used to enumerate, modify, and delete other users\u0027 sites and nodes.\n\nAdditionally, an authenticated attacker can use the \u0027getConfig\u0027 endpoint to pull the application\u0027s configuration, which may store cleartext credentials.\n\n### PoC - /deleteNode\n\n1. Browse to the \u0027site.json\u0027 file for a target site, and note the ID of the item to delete.\n\n![image](https://github.com/user-attachments/assets/84f8b396-876e-402b-b252-86d6cdec66c0)\n\n2. Make a POST request to the \u0027deleteNode\u0027 endpoint with a valid JWT and the target object ID.\n\n![image](https://github.com/user-attachments/assets/750f6b2b-ad57-4230-8fd9-05100c25cef5)\n\nSite before editing:\n\n![image](https://github.com/user-attachments/assets/b7482b53-fc12-4aca-a135-082f1751d4a2)\n\nSite after editing:\n\n![image](https://github.com/user-attachments/assets/5a982f70-d8ef-4523-bcdc-da2b5aa7f019)",
  "id": "GHSA-9jr9-8ff3-m894",
  "modified": "2025-07-28T13:04:31Z",
  "published": "2025-07-25T20:10:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HAX CMS API Lacks Authorization Checks"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.