CVE-2025-49137

Опубликовано: 09 июн. 2025

Источник: nvd

CVSS3: 8.5

CVSS3: 6.1

EPSS Низкий

Описание

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, the application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a script tag, it does allow the use of other HTML tags to run JavaScript. Version 11.0.0 fixes the issue.

Ссылки

https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8
Patch
https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7
Exploit
Issue Tracking
Third Party Advisory
https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*

Версия до 11.0.0 (исключая)

cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*

Версия до 11.0.0 (исключая)

EPSS

Процентиль: 16%

0.00052

Низкий

8.5 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-2vc4-3hx7-v7v7

CVSS3: 8.5

github

8 месяцев назад

Hax CMS Stored Cross-Site Scripting vulnerability

EPSS

Процентиль: 16%

0.00052

Низкий

8.5 High

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-79