23Younesm

**Name of the Vulnerable Software and Affected Versions** HAX open-apis versions up to and including 10.0.2 **Description** An unauthenticated information disclosure issue exists in the HAX content management system via the `haxPsuUsage` API endpoint. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When combined with other authorization issues, this could assist in targeted attacks such as unauthorized content modification or deletion. **Recommendations** For HAX open-apis versions up to and including 10.0.2, apply the patch from commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7 to resolve the issue. As a temporary workaround, consider restricting access to the `haxPsuUsage` API endpoint until the patch is applied.