CVE-2025-49139
BaseFortify
Publication date: 2025-06-09
Last updated on: 2025-07-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psu | haxcms-nodejs | to 11.0.0 (exc) |
| psu | haxcms-php | to 11.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in HAX CMS PHP prior to version 11.0.0 allows an authenticated attacker to create a website block that loads an attacker-controlled URL in an iframe. When another user visits the malicious HAX site, their browser queries the attacker-controlled URL, enabling the attacker to conduct phishing attacks and harvest credentials.
How can this vulnerability impact me? :
The vulnerability can lead to phishing attacks where an attacker harvests credentials from users who visit a malicious HAX site. This can compromise user accounts and potentially lead to unauthorized access or data breaches.
What immediate steps should I take to mitigate this vulnerability?
Upgrade HAX CMS to version 11.0.0 or later, as this version contains a patch that fixes the vulnerability. Additionally, restrict or monitor the creation of website blocks that load external URLs in iframes to prevent attackers from embedding malicious sites.