HAX CMS NodeJS Content Security Policy Vulnerability Allowing Cross-Site Scripting
Vulnerability
A vulnerability exists in HAX CMS NodeJS versions 11.0.7 and prior, where the Content Security Policy (CSP) is disabled. This lack of a proper CSP configuration exposes the application to cross-site scripting (XSS) attacks, as it fails to mitigate the risks associated with such vulnerabilities. The issue arises from the application's Helmet configuration, where the CSP is explicitly turned off, leaving production environments unprotected.
Impact
The absence of a CSP, combined with an XSS vulnerability, could allow an attacker to execute arbitrary scripts, potentially leading to the exfiltration of data such as session tokens and other sensitive local information.
Reproduction
To reproduce this vulnerability, install HAX CMS NodeJS. Once the application is running, it will load without a Content Security Policy configured, leaving it vulnerable to cross-site scripting attacks.
Remediation
Users can upgrade to HAX CMS NodeJS version 11.0.8 or later, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.