Btopropublished

**Name of the Vulnerable Software and Affected Versions** HAX CMS PHP versions prior to 11.0.0 **Description** The issue is related to an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint. This vulnerability allows a low-privileged user to read arbitrary files on the server by manipulating the `location` field written into site.json. Attackers can exfiltrate sensitive system files, such as /etc/passwd, application secrets, or configuration files accessible to the web server. The vulnerability occurs because the HAXCMS backend handles the `location` field in the site's outline without validating or sanitizing the input. When a user sends a POST request to "/system/api/saveOutline", the backend stores the provided `location` value directly into the site.json file associated with the site. Later, the `location` parameter is interpreted by the CMS to resolve and load the content for a given node. If the `location` field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. **Recommendations** For versions prior to 11.0.0, update to version 11.0.0 to fix the issue. As a temporary workaround, consider restricting access to the "/system/api/saveOutline" endpoint to minimize the risk of exploitation. Additionally, restrict the use of the `location` field in the site's outline to prevent arbitrary file inclusion.