CVE-2025-54378
BaseFortify
Publication date: 2025-07-26
Last updated on: 2025-08-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| psu | haxcms-nodejs | to 11.0.14 (exc) |
| psu | haxcms-php | to 11.0.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54378 is a vulnerability in HAX CMS (both JavaScript and PHP versions) where API endpoints do not perform proper authorization checks. Although the system verifies if a user is authenticated, it fails to confirm whether the authenticated user has permission to interact with specific resources. This allows an authenticated attacker to perform unauthorized operations such as creating, modifying, deleting, or enumerating other users' sites and nodes. The vulnerability affects multiple API endpoints and can lead to unauthorized data access and manipulation. [1]
How can this vulnerability impact me? :
This vulnerability can allow an authenticated attacker with low privileges to remotely perform unauthorized actions on the HAX CMS, including modifying, deleting, or enumerating other users' sites and nodes. It can also expose sensitive configuration data, such as cleartext credentials, through endpoints like getConfig. The impact includes high integrity and availability risks, as attackers can delete or alter content, and some confidentiality loss due to potential data exposure. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring API requests to the HAX CMS endpoints for unauthorized access attempts. Specifically, look for API calls to endpoints such as createNode(), saveNode(), deleteNode(), listSites(), createSite(), getConfig(), cloneSite(), deleteSite(), downloadSite(), and archiveSite() that succeed without proper authorization checks. Using a valid JWT token or session, an attacker could send POST requests to these endpoints with resource identifiers (e.g., node IDs from site.json) to test if unauthorized operations are allowed. Commands to test might include curl requests with valid authentication tokens but targeting resources not owned by the authenticated user, for example: curl -X POST -H "Authorization: Bearer <valid_JWT_token>" -d '{"nodeId":"<target_node_id>"}' https://<haxcms_host>/api/deleteNode Monitoring logs for HTTP 403 Forbidden responses versus successful operations without proper authorization can help detect exploitation attempts. Additionally, checking for API requests missing or bypassing site_token or user_token parameters can indicate attempts to exploit the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the HAX CMS software to the fixed versions: at least version 11.0.14 for haxcms-nodejs and 11.0.9 for haxcms-php, where proper authorization checks and token validations are enforced. Until upgrades can be applied, restrict access to the API endpoints by limiting network exposure (e.g., firewall rules) to trusted users only. Implement monitoring and alerting on suspicious API calls that attempt to perform operations without valid site_token or user_token parameters. Additionally, review and enforce strict validation of tokens on all API requests, ensuring that unauthorized users cannot perform create, modify, delete, clone, download, or archive operations. Returning HTTP 403 Forbidden status codes on invalid or missing tokens should be enforced to prevent unauthorized access. [2, 3]