Odransfield

**Name of the Vulnerable Software and Affected Versions** HAX CMS versions 11.0.7 and below (PHP) HAX CMS versions 11.0.12 and below (NodeJS) **Description** HAX CMS does not include headers to prevent websites from loading the application within an iframe. This affects both the CMS and generated sites. An unauthenticated attacker can load sensitive functionality, such as the login page, within an iframe, enabling a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to coerce users into performing unintended actions. **Recommendations** HAX CMS versions 11.0.7 and below (PHP): Update to version 11.0.8 or later. HAX CMS versions 11.0.12 and below (NodeJS): Update to version 11.0.13 or later.

**Name of the Vulnerable Software and Affected Versions** HAX CMS PHP versions prior to 11.0.0 **Description** The issue allows an authenticated attacker to create a HAX site with a website block that can load another site in an iframe, potentially leading to phishing attacks. When a user visits the malicious HAX site, their browser will query the supplied URL, which can be controlled by the attacker. This can be exploited by convincing another user to visit the malicious site, allowing the attacker to harvest credentials. **Recommendations** For versions prior to 11.0.0, update to version 11.0.0 to resolve the issue. As a temporary workaround, consider restricting the use of the website block feature in the HAX site editor to minimize the risk of exploitation.