8 matches found
CVE-2025-49141
The CVE-2025-49141 entry concerns HAX CMS PHP (pre-11.0.3) with an OS command injection in the gitImportSite flow. The issue arises when gitImportSite retrieves a URL from a POST request and performs insufficient input validation; later, set_remote passes the input to proc_open, enabling an attac...
CVE-2025-49138
HAX CMS PHP before v11.0.0 is vulnerable to an authenticated Local File Inclusion via the saveOutline API. The backend stores the provided location value directly into site.json without validation, allowing an attacker to craft a relative path (for example ../../../etc/passwd) to read arbitrary f...
CVE-2025-32028
CVE-2025-32028 affects HAX CMS PHP. The issue lies in the save() function in HAXCMSFile.php, which blocks only a non-exhaustive list of file types (.php, .sh, .js, .css); the logic is described as fail-open, enabling insecure file uploads. This can lead to remote code execution as described acros...
CVE-2025-49139
CVE-2025-49139 pertains to HAX CMS (NodeJS/PHP) prior to version 11.0.0. The issue arises from a website block in the HAX site editor that lets an authenticated user specify a target URL to load in an iframe. When a user visits the attacker-controlled HAX site, the client’s browser requests the s...
CVE-2025-49137
HAX CMS PHP prior to 11.0.0 is vulnerable to stored XSS via the saveNode and saveManifest endpoints, where unsanitized user input is stored in the site JSON schema and rendered in the generated microsite. The issue allows execution of arbitrary JavaScript through HTML tags (notably without using ...
CVE-2025-54378
CVE-2025-54378 affects HAX CMS backends (nodejs and PHP). The issue is that API endpoints do not verify authorization for resource interactions, only checking authentication, allowing an authenticated user to perform privileged operations. Affected versions: haxcms-nodejs ≤ 11.0.13 and haxcms-php...
CVE-2025-54139
CVE-2025-54139 affects HAX CMS NodeJS and PHP backends. Versions haxcms-nodejs ≤ 11.0.12 and haxcms-php ≤ 11.0.7 expose pages without anti-iframe headers, enabling unauthenticated attackers to load sensitive pages (including login) in an iframe and perform a UI redress (clickjacking). Impact is U...
CVE-2025-53642
The CVE concerns haxcms-nodejs and haxcms-php backends for HAXcms. The logout flow does not terminate the user session or clear cookies, and a refresh token is issued on logout, enabling potential continued access. Affected versions are haxcms-nodejs and haxcms-php prior to 11.0.6. The issue is m...