GHSA-V3PH-2Q5Q-CG88

Vulnerability from github – Published: 2025-06-09 19:07 – Updated: 2025-06-09 21:44
VLAI?
Summary
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
Details

Summary

In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL.

Affected Resources

PoC

  1. Set the URL in an iframe pointing to an attacker-controlled server running Responder

image

  1. Once another user visits the site, they are prompted to sign in.

image

  1. If a user inputs credentials, the username and password hash are outputted in Responder.

image

Impact

An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@haxtheweb/haxcms-nodejs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49139"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1021"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-09T19:07:21Z",
    "nvd_published_at": "2025-06-09T21:15:47Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nIn the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client\u0027s browser will query the supplied URL.\n\n### Affected Resources\n\n- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868)\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveNode`\n\n### PoC\n\n1. Set the URL in an iframe pointing to an attacker-controlled server running Responder\n\n![image](https://github.com/user-attachments/assets/baac23ec-7b1e-49cf-864d-c3550b2c71bf)\n\n2. Once another user visits the site, they are prompted to sign in.\n\n![image](https://github.com/user-attachments/assets/a3a0b75d-e12f-49cf-8669-9686353a92e2)\n\n3. If a user inputs credentials, the username and password hash are outputted in Responder.\n\n![image](https://github.com/user-attachments/assets/428542d3-8cf5-4bfa-b759-e630c3ee6ac3)\n\n### Impact\n\nAn authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials.",
  "id": "GHSA-v3ph-2q5q-cg88",
  "modified": "2025-06-09T21:44:07Z",
  "published": "2025-06-09T19:07:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49139"
    },
    {
      "type": "WEB",
      "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/haxtheweb/issues"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.