Filtered by vendor Haxtheweb Subscriptions
Filtered by product Haxcms-php Subscriptions

Search

Switch to Advanced Search (Beta)
Total 3 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-54378 1 Haxtheweb 2 Haxcms-nodejs, Haxcms-php 2025-07-29 8.3 High
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.
CVE-2025-54139 1 Haxtheweb 2 Haxcms-nodejs, Haxcms-php 2025-07-25 4.3 Medium
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.
CVE-2025-53642 1 Haxtheweb 2 Haxcms-nodejs, Haxcms-php 2025-07-15 4.8 Medium
haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6.