GHSA-2VC4-3HX7-V7V7

Vulnerability from github – Published: 2025-06-09 17:43 – Updated: 2025-06-09 21:43
VLAI?
Summary
Hax CMS Stored Cross-Site Scripting vulnerability
Details

Summary

The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.

Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript.

Affected Resources

Impact

An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data.

PoCs

saveNode

To replicate this vulnerability, an attacker can use the "View Source" functionality within the site editor to enter a malicious payload.

  1. Select "View Source" within the HAX site editor and enter an XSS payload that does not use the "script" HTML tag.

image

  1. Select "Update HTML" and observe the resulting alert.

image

image

saveManifest

To exploit the 'SaveManifest' endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.

  1. Open the site settings editor.

image

  1. Add JavaScript code to the URL field under the "Theme" header.

image

  1. Reload the page to run the script.

image

  1. The resulting page source will contain the script.

image

Severity ?
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "elmsln/haxcms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49137"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80",
      "CWE-87"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T17:43:37Z",
    "nvd_published_at": "2025-06-09T21:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.\n\nAlthough the application does not allow users to supply a \u0027script\u0027 tag, it does allow the use of other HTML tags to run JavaScript.\n\n### Affected Resources\n\n- [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()`\n- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveNode`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveManifest`\n\n### Impact\n\nAn authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user\u0027s session cookie or other sensitive data.\n\n### PoCs\n\n#### saveNode\n\nTo replicate this vulnerability, an attacker can use the \"View Source\" functionality within the site editor to enter a malicious payload.\n\n1. Select \"View Source\" within the HAX site editor and enter an XSS payload that does not use the \"script\" HTML tag.\n\n![image](https://github.com/user-attachments/assets/c22c52e6-079a-4add-94a2-b51b1a925a96)\n\n3. Select \"Update HTML\" and observe the resulting alert.\n\n![image](https://github.com/user-attachments/assets/df2da026-de47-4f65-bbc2-c4dbc8fb77e5)\n\n![image](https://github.com/user-attachments/assets/d593418c-73c6-4210-953e-faca8405174c)\n\n#### saveManifest\n\nTo exploit the \u0027SaveManifest\u0027 endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.\n\n1. Open the site settings editor.\n\n![image](https://github.com/user-attachments/assets/f7faa998-58ec-4085-9c65-d6a9f3831587)\n\n3. Add JavaScript code to the URL field under the \"Theme\" header.\n\n![image](https://github.com/user-attachments/assets/a99a7238-bb63-408c-8ca7-22deaffeca83)\n\n5. Reload the page to run the script.\n\n![image](https://github.com/user-attachments/assets/e634b1f3-58c1-44f6-8c8a-814773e69e83)\n\n7. The resulting page source will contain the script.\n\n![image](https://github.com/user-attachments/assets/a022d9d2-a6bf-41ad-a9f2-44a6a2f0fa07)",
  "id": "GHSA-2vc4-3hx7-v7v7",
  "modified": "2025-06-09T21:43:59Z",
  "published": "2025-06-09T17:43:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49137"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hax CMS Stored Cross-Site Scripting vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.