Listen to this Post
How the CVE Works:
The vulnerability stems from an unauthenticated API endpoint (haxPsuUsage) in HAX CMS, which exposes a full list of hosted websites without access control. The endpoint (https://open-apis.hax.cloud/api/services/stats/haxPsuUsage`) directly serves site listings from `haxPsuUsage.js` without verifying user permissions. Attackers can enumerate all PSU-hosted HAX CMS sites, aiding targeted exploits when combined with authorization flaws like HAX-3. This allows unauthorized access to functions likecreateNode(),deleteSite(), anddownloadSite()`, risking data integrity and confidentiality.
DailyCVE Form:
Platform: HAX CMS
Version: PSU Deployment
Vulnerability: Information Disclosure
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch by 2023-12-15
What Undercode Say:
Analytics:
- Exploit Likelihood: High (Low skill required)
- Attack Surface: Remote, Unauthenticated
- Impact Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
Exploit Commands:
1. Enumeration:
curl -s https://open-apis.hax.cloud/api/services/stats/haxPsuUsage | jq .
2. Chained Attack (Post-Auth):
curl -X POST -H "Cookie: valid_session=123" https://target.site/api/deleteSite -d '{"siteId":"victim_site"}'
Mitigation Commands:
1. Block Endpoint (Nginx):
location /api/services/stats/haxPsuUsage { deny all; }
2. Patch Code (Node.js):
router.get('/haxPsuUsage', (req, res) => {
if (!req.user || !req.user.isAdmin) return res.status(403).send();
// Proceed with stats
});
Detection Script (Python):
import requests
response = requests.get("https://open-apis.hax.cloud/api/services/stats/haxPsuUsage")
if response.status_code == 200 and "sites" in response.text:
print("[!] Vulnerable to CVE-2023-XXXX")
Firewall Rule (IPTables):
iptables -A INPUT -p tcp --dport 443 -m string --string "haxPsuUsage" --algo bm -j DROP
Log Monitoring (ELK Query):
{
"query": {
"match": {
"url.path": "/api/services/stats/haxPsuUsage"
}
}
}
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
