HAX CMS PHP Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in HAX CMS PHP versions through 10.0.6. The issue arises because the application fails to properly sanitize user input, allowing authenticated users to execute arbitrary JavaScript. This malicious code is injected through the 'saveNode' and 'saveManifest' endpoints, which store the input in the site's JSON schema. Although direct inclusion of 'script' tags is prohibited, other HTML tags can be used to execute JavaScript, posing a risk of session cookie theft or exposure of sensitive information.

Impact

Exploitation of this vulnerability allows authenticated users to inject and execute malicious JavaScript on the site, potentially leading to theft of session cookies or other sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user can use the HAX site editor to access the 'saveNode' endpoint. By selecting 'View Source' and entering a JavaScript payload that bypasses the 'script' tag restriction, the injected code will execute when the page is loaded. Alternatively, the 'saveManifest' endpoint can be exploited by inserting executable code into the URL field of the site settings editor, which will run when the site is accessed.

Remediation

Users can upgrade to HAX CMS PHP version 11.0.0 or later to address this vulnerability.