GHSA-9JR9-8FF3-M894

Vulnerability from github – Published: 2025-07-25 20:10 – Updated: 2025-07-28 13:04
VLAI?
Summary
HAX CMS API Lacks Authorization Checks
Details

Summary

The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation.

Details

The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation.

Affected Resources

Note: This may not include all affected endpoints within the application.

Impact

An authenticated attacker can make requests to interact with other users' sites. This can be used to enumerate, modify, and delete other users' sites and nodes.

Additionally, an authenticated attacker can use the 'getConfig' endpoint to pull the application's configuration, which may store cleartext credentials.

PoC - /deleteNode

  1. Browse to the 'site.json' file for a target site, and note the ID of the item to delete.

image

  1. Make a POST request to the 'deleteNode' endpoint with a valid JWT and the target object ID.

image

Site before editing:

image

Site after editing:

image

Severity ?
8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "elmsln/haxcms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-54378"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-25T20:10:22Z",
    "nvd_published_at": "2025-07-26T04:16:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation.\n\n### Details\n\nThe API endpoints within the HAX CMS application check if a user is authenticated, but don\u0027t check for authorization before performing an operation.\n\n#### Affected Resources\n\n- [Operations.php: 760](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L760) `createNode()`\n- [Operations.php: 868](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L868) `saveNode()`\n- [Operations.php: 1171](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1171) `deleteNode()`\n- [Operations.php: 1789](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1789) `listSites()`\n- [Operations.php: 1890](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L1890) `createSite()`\n- [Operations.php: 2196](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2195) `getConfig()`\n- [Operations.php: 2389](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2389) `cloneSite()`\n- [Operations.php: 2467](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2467) `deleteSite()`\n- [Operations.php: 2524](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2524) `downloadSite()`\n- [Operations.php: 2607](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/Operations.php#L2606) `archiveSite()`\n\n\n_Note: This may not include all affected endpoints within the application._\n\n### Impact\n\nAn authenticated attacker can make requests to interact with other users\u0027 sites. This can be used to enumerate, modify, and delete other users\u0027 sites and nodes.\n\nAdditionally, an authenticated attacker can use the \u0027getConfig\u0027 endpoint to pull the application\u0027s configuration, which may store cleartext credentials.\n\n### PoC - /deleteNode\n\n1. Browse to the \u0027site.json\u0027 file for a target site, and note the ID of the item to delete.\n\n![image](https://github.com/user-attachments/assets/84f8b396-876e-402b-b252-86d6cdec66c0)\n\n2. Make a POST request to the \u0027deleteNode\u0027 endpoint with a valid JWT and the target object ID.\n\n![image](https://github.com/user-attachments/assets/750f6b2b-ad57-4230-8fd9-05100c25cef5)\n\nSite before editing:\n\n![image](https://github.com/user-attachments/assets/b7482b53-fc12-4aca-a135-082f1751d4a2)\n\nSite after editing:\n\n![image](https://github.com/user-attachments/assets/5a982f70-d8ef-4523-bcdc-da2b5aa7f019)",
  "id": "GHSA-9jr9-8ff3-m894",
  "modified": "2025-07-28T13:04:31Z",
  "published": "2025-07-25T20:10:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54378"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HAX CMS API Lacks Authorization Checks"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.