HAX CMS Clickjacking Vulnerability

A clickjacking vulnerability has been identified in HAX CMS applications with NodeJS and PHP backends, specifically in haxcms-nodejs versions 11.0.12 and below, and haxcms-php versions 11.0.7 and below. The vulnerability arises because the applications do not include headers to prevent iframe embedding, leaving both the CMS and generated sites exposed. This allows an unauthenticated attacker to load sensitive pages, such as the standalone login page, within an iframe, potentially coercing users into performing unintended actions through social engineering tactics.

Impact

Exploitation of this vulnerability allows for UI redressing attacks, commonly known as clickjacking, where an attacker can manipulate a user's interaction with the HAX CMS application by overlaying an iframe with deceptive content.

Reproduction

To reproduce this vulnerability, load any page from the HAX CMS application in an iframe. The absence of proper Content Security Policy headers will allow the page to be embedded, exposing the login page and other sensitive functionalities to clickjacking attacks.

Remediation

Users can update to haxcms-nodejs version 11.0.13 or haxcms-php version 11.0.8 to address this vulnerability.