HAX CMS NodeJS Hardcoded Credentials and Default JWT Keys Vulnerability

A vulnerability exists in HAX CMS NodeJS versions 11.0.9 and prior, where the application is distributed with hardcoded default credentials for user and superuser accounts, as well as default private keys for JSON Web Tokens (JWTs). During installation, users are not prompted to change these credentials or secrets, and there is no option to modify them through the user interface. An unauthenticated attacker can exploit this vulnerability by accessing the default credentials and JWT private keys available in the public haxtheweb GitHub repositories. These can be used to log into unconfigured self-hosted instances of the application, allowing the attacker to modify sites and potentially conduct further attacks.

Impact

Exploitation of this vulnerability allows unauthorized access to HAX CMS NodeJS instances, where an attacker can use the default credentials to log in, modify site content, and possibly carry out additional attacks within the application.

Reproduction

The vulnerability can be reproduced by downloading a version of HAX CMS NodeJS through 11.0.9. After installation, the default credentials and JWT private keys can be accessed from the public haxtheweb GitHub repositories. With these keys and credentials, an unauthenticated user can log into an unconfigured self-hosted instance of the application and gain unauthorized access to modify sites.

Remediation

Users can upgrade to HAX CMS NodeJS version 11.0.10 or later, where this vulnerability has been patched.