CVE-2025-49137 (GCVE-0-2025-49137)
Vulnerability from cvelistv5 – Published: 2025-06-09 21:00 – Updated: 2025-06-10 15:30
VLAI?
Title
Hax CMS Stored Cross-Site Scripting vulnerability
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.
Severity ?
8.5 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49137",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:11:53.685905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:30:09.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "issues",
"vendor": "haxtheweb",
"versions": [
{
"status": "affected",
"version": "\u003c 11.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T21:00:15.808Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
},
{
"name": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
}
],
"source": {
"advisory": "GHSA-2vc4-3hx7-v7v7",
"discovery": "UNKNOWN"
},
"title": "Hax CMS Stored Cross-Site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-49137",
"datePublished": "2025-06-09T21:00:15.808Z",
"dateReserved": "2025-06-02T10:39:41.634Z",
"dateUpdated": "2025-06-10T15:30:09.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-49137\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-09T21:15:46.890\",\"lastModified\":\"2025-07-30T17:36:14.653\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"HAX CMS PHP permite a los usuarios gestionar su universo de micrositios con un backend PHP. Antes de la versi\u00f3n 11.0.0, la aplicaci\u00f3n no depuraba adecuadamente la entrada del usuario, lo que permit\u00eda la ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario. Los endpoints \\\"saveNode\\\" y \\\"saveManifest\\\" reciben la entrada del usuario y la almacenan en el esquema JSON del sitio. Este contenido se renderiza en el sitio HAX generado. Aunque la aplicaci\u00f3n no permite a los usuarios proporcionar una etiqueta `script`, s\u00ed permite el uso de otras etiquetas HTML para ejecutar JavaScript. La versi\u00f3n 11.0.0 soluciona este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"},{\"lang\":\"en\",\"value\":\"CWE-87\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"11.0.0\",\"matchCriteriaId\":\"BFE3138D-BCD5-4DF5-BB74-90A34118051F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"11.0.0\",\"matchCriteriaId\":\"A72C09C8-71A3-4B4F-BA0E-CF75016F5112\"}]}]}],\"references\":[{\"url\":\"https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49137\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-10T15:11:53.685905Z\"}}}], \"references\": [{\"url\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-10T14:22:46.643Z\"}}], \"cna\": {\"title\": \"Hax CMS Stored Cross-Site Scripting vulnerability\", \"source\": {\"advisory\": \"GHSA-2vc4-3hx7-v7v7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"haxtheweb\", \"product\": \"issues\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 11.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7\", \"name\": \"https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8\", \"name\": \"https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-87\", \"description\": \"CWE-87: Improper Neutralization of Alternate XSS Syntax\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-09T21:00:15.808Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-49137\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-10T15:30:09.073Z\", \"dateReserved\": \"2025-06-02T10:39:41.634Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-09T21:00:15.808Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2025-49137
Vulnerability from fkie_nvd - Published: 2025-06-09 21:15 - Updated: 2025-07-30 17:36
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8 | Patch | |
| security-advisories@github.com | https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7 | Exploit, Issue Tracking, Third Party Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| psu | haxcms-nodejs | * | |
| psu | haxcms-php | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "BFE3138D-BCD5-4DF5-BB74-90A34118051F",
"versionEndExcluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A72C09C8-71A3-4B4F-BA0E-CF75016F5112",
"versionEndExcluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue."
},
{
"lang": "es",
"value": "HAX CMS PHP permite a los usuarios gestionar su universo de micrositios con un backend PHP. Antes de la versi\u00f3n 11.0.0, la aplicaci\u00f3n no depuraba adecuadamente la entrada del usuario, lo que permit\u00eda la ejecuci\u00f3n de c\u00f3digo JavaScript arbitrario. Los endpoints \"saveNode\" y \"saveManifest\" reciben la entrada del usuario y la almacenan en el esquema JSON del sitio. Este contenido se renderiza en el sitio HAX generado. Aunque la aplicaci\u00f3n no permite a los usuarios proporcionar una etiqueta `script`, s\u00ed permite el uso de otras etiquetas HTML para ejecutar JavaScript. La versi\u00f3n 11.0.0 soluciona este problema."
}
],
"id": "CVE-2025-49137",
"lastModified": "2025-07-30T17:36:14.653",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-06-09T21:15:46.890",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-80"
},
{
"lang": "en",
"value": "CWE-87"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-2VC4-3HX7-V7V7
Vulnerability from github – Published: 2025-06-09 17:43 – Updated: 2025-06-09 21:43
VLAI?
Summary
Hax CMS Stored Cross-Site Scripting vulnerability
Details
Summary
The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.
Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript.
Affected Resources
- Operations.php:258
saveManifest() - Operations.php:868
saveNode() https://<site>/<user>/system/api/saveNodehttps://<site>/<user>/system/api/saveManifest
Impact
An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data.
PoCs
saveNode
To replicate this vulnerability, an attacker can use the "View Source" functionality within the site editor to enter a malicious payload.
- Select "View Source" within the HAX site editor and enter an XSS payload that does not use the "script" HTML tag.
- Select "Update HTML" and observe the resulting alert.
saveManifest
To exploit the 'SaveManifest' endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.
- Open the site settings editor.
- Add JavaScript code to the URL field under the "Theme" header.
- Reload the page to run the script.
- The resulting page source will contain the script.
Severity ?
8.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "elmsln/haxcms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49137"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-09T17:43:37Z",
"nvd_published_at": "2025-06-09T21:15:46Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.\n\nAlthough the application does not allow users to supply a \u0027script\u0027 tag, it does allow the use of other HTML tags to run JavaScript.\n\n### Affected Resources\n\n- [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()`\n- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveNode`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveManifest`\n\n### Impact\n\nAn authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user\u0027s session cookie or other sensitive data.\n\n### PoCs\n\n#### saveNode\n\nTo replicate this vulnerability, an attacker can use the \"View Source\" functionality within the site editor to enter a malicious payload.\n\n1. Select \"View Source\" within the HAX site editor and enter an XSS payload that does not use the \"script\" HTML tag.\n\n\n\n3. Select \"Update HTML\" and observe the resulting alert.\n\n\n\n\n\n#### saveManifest\n\nTo exploit the \u0027SaveManifest\u0027 endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.\n\n1. Open the site settings editor.\n\n\n\n3. Add JavaScript code to the URL field under the \"Theme\" header.\n\n\n\n5. Reload the page to run the script.\n\n\n\n7. The resulting page source will contain the script.\n\n",
"id": "GHSA-2vc4-3hx7-v7v7",
"modified": "2025-06-09T21:43:59Z",
"published": "2025-06-09T17:43:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49137"
},
{
"type": "WEB",
"url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hax CMS Stored Cross-Site Scripting vulnerability"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…