CVE-2025-54378

Name of the Vulnerable Software and Affected Versions HAX CMS versions 11.0.8 and below (haxcms-php) HAX CMS versions 11.0.13 and below (haxcms-nodejs)

Description The HAX CMS API endpoints do not perform authorization checks when interacting with resources. Both the JavaScript and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing an operation. The API endpoints check for user authentication but do not verify authorization before proceeding. Specifically, the following functions are affected in the PHP version: createNode(), saveNode(), deleteNode(), listSites(), createSite(), getConfig(), cloneSite(), deleteSite(), and archiveSite(). An authenticated attacker can potentially enumerate, modify, and delete other users' sites and nodes. Additionally, the getConfig endpoint may expose cleartext credentials.

Recommendations HAX CMS versions prior to 11.0.9 (haxcms-php) should be updated. HAX CMS versions prior to 11.0.14 (haxcms-nodejs) should be updated.