CVE-2025-49137

Name of the Vulnerable Software and Affected Versions HAX CMS PHP versions prior to 11.0.0

Description The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a script tag, it does allow the use of other HTML tags to run JavaScript. An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data.

Recommendations Update to version 11.0.0 to fix the issue. As a temporary workaround, consider restricting access to the 'saveNode' and 'saveManifest' endpoints until a patch is available. Avoid using the https://<site>/<user>/system/api/saveNode and https://<site>/<user>/system/api/saveManifest API endpoints with untrusted input. Restrict access to the site settings editor and site editor to minimize the risk of exploitation.