Lfgberg

**Name of the Vulnerable Software and Affected Versions** HAX CMS versions 11.0.8 and below (haxcms-php) HAX CMS versions 11.0.13 and below (haxcms-nodejs) **Description** The HAX CMS API endpoints do not perform authorization checks when interacting with resources. Both the JavaScript and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing an operation. The API endpoints check for user authentication but do not verify authorization before proceeding. Specifically, the following functions are affected in the PHP version: `createNode()`, `saveNode()`, `deleteNode()`, `listSites()`, `createSite()`, `getConfig()`, `cloneSite()`, `deleteSite()`, and `archiveSite()`. An authenticated attacker can potentially enumerate, modify, and delete other users' sites and nodes. Additionally, the `getConfig` endpoint may expose cleartext credentials. **Recommendations** HAX CMS versions prior to 11.0.9 (haxcms-php) should be updated. HAX CMS versions prior to 11.0.14 (haxcms-nodejs) should be updated.

**Name of the Vulnerable Software and Affected Versions** HAXiam versions 11.0.4 and below **Description** HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management platform. The application returns a 200 response when requesting the data of a valid user and a 404 response when requesting the data of an invalid user. This behavior can be used to infer the existence of valid user accounts. An authenticated attacker can use automated tooling to brute force potential usernames and use the application's response to identify valid accounts. This can be used in conjunction with other vulnerabilities, such as the lack of authorization checks, to enumerate and deface another user's sites. **Recommendations** Update HAXiam to version 11.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** HAX CMS versions 11.0.7 and below (PHP) HAX CMS versions 11.0.12 and below (NodeJS) **Description** HAX CMS does not include headers to prevent websites from loading the application within an iframe. This affects both the CMS and generated sites. An unauthenticated attacker can load sensitive functionality, such as the login page, within an iframe, enabling a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to coerce users into performing unintended actions. **Recommendations** HAX CMS versions 11.0.7 and below (PHP): Update to version 11.0.8 or later. HAX CMS versions 11.0.12 and below (NodeJS): Update to version 11.0.13 or later.

**Name of the Vulnerable Software and Affected Versions:** haxcms-nodejs versions prior to 11.0.6 haxcms-php versions prior to 11.0.6 **Description:** The logout function does not properly terminate user sessions or clear cookies. A refresh token is issued during logout, potentially allowing continued access. **Recommendations:** Update haxcms-nodejs to version 11.0.6 or later. Update haxcms-php to version 11.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** HAX CMS PHP versions prior to 11.0.0 **Description** The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a `script` tag, it does allow the use of other HTML tags to run JavaScript. An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data. **Recommendations** Update to version 11.0.0 to fix the issue. As a temporary workaround, consider restricting access to the 'saveNode' and 'saveManifest' endpoints until a patch is available. Avoid using the `https://<site>/<user>/system/api/saveNode` and `https://<site>/<user>/system/api/saveManifest` API endpoints with untrusted input. Restrict access to the site settings editor and site editor to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HAX CMS PHP versions prior to 11.0.0 **Description** The issue allows an authenticated attacker to create a HAX site with a website block that can load another site in an iframe, potentially leading to phishing attacks. When a user visits the malicious HAX site, their browser will query the supplied URL, which can be controlled by the attacker. This can be exploited by convincing another user to visit the malicious site, allowing the attacker to harvest credentials. **Recommendations** For versions prior to 11.0.0, update to version 11.0.0 to resolve the issue. As a temporary workaround, consider restricting the use of the website block feature in the HAX site editor to minimize the risk of exploitation.