CVE-2025-49138
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-09

Last updated on: 2025-07-30

Assigner: GitHub, Inc.

Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2025-07-30
Generated
2026-05-07
AI Q&A
2025-06-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49138
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
psu haxcms-php to 11.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-NVD-CWE-Other
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Local File Inclusion (LFI) issue in HAX CMS PHP versions prior to 11.0.0. It allows an authenticated user with low privileges to manipulate the 'location' field in the saveOutline endpoint. By sending a specially crafted POST request, the user can cause the backend to write arbitrary file paths into the site.json file. Later, the CMS reads this location and attempts to load the specified file, enabling the attacker to read arbitrary files on the server, such as sensitive system files or configuration files.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to read sensitive files on the server, including system files like /etc/passwd, application secrets, or configuration files accessible to the web server user. This can lead to information disclosure, potentially exposing credentials or other sensitive data, which could be used for further attacks or unauthorized access.


What immediate steps should I take to mitigate this vulnerability?

Upgrade HAX CMS to version 11.0.0 or later, as this version fixes the Local File Inclusion vulnerability by properly validating and sanitizing the location field in the saveOutline endpoint. Until the upgrade can be applied, restrict access to the /system/api/saveOutline endpoint to trusted users only and monitor for suspicious POST requests that manipulate the location parameter.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart