Asareynolds

**Name of the Vulnerable Software and Affected Versions** HAXcms versions prior to 11.0.7 **Description** HAXcms with a nodejs backend allows users to start the server in any HAXsite or HAXcms instance. The NodeJS version of HAXcms, in versions 11.0.6 and below, uses an insecure default configuration intended for local development. This configuration lacks session authentication because the `HAXCMS DISABLE JWT CHECKS` variable is set to `true` by default. **Recommendations** HAXcms versions prior to 11.0.7: Update to version 11.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** HAX CMS NodeJs versions 11.0.7 and below **Description** HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. The NodeJS version of HAX CMS has a disabled Content Security Policy (CSP) in versions 11.0.7 and below. This configuration does not protect against cross-site-scripting attacks because the contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in `app.js`. **Recommendations** HAX CMS NodeJs version 11.0.8 or later should be used.

**Name of the Vulnerable Software and Affected Versions** HAX CMS NodeJs versions 11.0.8 and below **Description** HAX CMS NodeJs, a system for managing microsite universes with a NodeJs backend, is susceptible to a crash issue. An authenticated attacker can trigger this issue by sending API requests to the `listFiles` and `saveFiles` endpoints without providing the necessary URL parameters. The application fails to handle exceptions resulting from modifications to user-modifiable URL parameters, leading to the application crash. **Recommendations** Upgrade to version 11.0.9 or later.

**Name of the Vulnerable Software and Affected Versions** HAX CMS PHP versions prior to 11.0.0 **Description** The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data. **Recommendations** Update to version 11.0.0 to fix the issue. As a temporary workaround, consider restricting access to the 'saveNode' and 'saveManifest' endpoints until a patch is available. Avoid using the `https://<site>/<user>/system/api/saveNode` and `https://<site>/<user>/system/api/saveManifest` API endpoints with untrusted input. Restrict access to the site settings editor and site editor to minimize the risk of exploitation.