HAX CMS NodeJS Improper Error Handling in File Management Endpoints Leading to Denial-of-Service
Vulnerability
A denial-of-service vulnerability has been identified in HAX CMS NodeJS versions through 11.0.3. The issue arises in the listFiles and saveFile endpoints, where the application crashes when an authenticated user sends a request without the required URL parameters. This failure occurs because the application does not adequately manage exceptions related to user-modifiable URL parameters.
Impact
Exploitation of this vulnerability causes the NodeJS application to crash, disrupting access to the backend server. This outage affects all users and, if the backend hosts websites, those sites will also become unavailable.
Reproduction
To reproduce this vulnerability, send an API request to the listFiles or saveFile endpoints without including the necessary URL parameters. The server will respond with an error indicating an invalid argument type, and the application will crash.
Remediation
Users can upgrade to HAX CMS NodeJS version 11.0.9 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.