CVE-2025-54139
BaseFortify
Publication date: 2025-07-23
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psu | haxcms-nodejs | From 11.0.6 (inc) to 11.0.13 (exc) |
| psu | haxcms-php | From 11.0.0 (inc) to 11.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1021 | The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in HAX CMS (versions 11.0.12 and below for nodejs, and 11.0.7 and below for php) occurs because the application does not include headers that prevent other websites from loading its pages within an iframe. This allows an unauthenticated attacker to load sensitive pages like the login page inside an iframe on a malicious site and perform a UI redressing attack (clickjacking). The attacker can trick users into performing unintended actions by overlaying or hiding the real interface behind deceptive content.
How can this vulnerability impact me? :
The vulnerability can lead to social engineering attacks where users are tricked into interacting with the HAX CMS application in unintended ways, potentially compromising their accounts or performing unauthorized actions. Since the attack is unauthenticated and relies on clickjacking, it can affect any user accessing the CMS or generated sites, leading to potential misuse or manipulation of the application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade haxcms-nodejs to version 11.0.13 or higher, or haxcms-php to version 11.0.8 or higher to ensure that the application includes headers preventing iframe embedding and thus mitigates the clickjacking vulnerability.