HAX CMS Lack of Authorization Checks in API Endpoints

A vulnerability exists in HAX CMS versions 11.0.13 and below for both the Node.js and PHP backends. The issue arises because API endpoints fail to perform necessary authorization checks before allowing users to interact with resources. While the endpoints verify if a user is authenticated, they do not ensure that the user has the appropriate permissions to carry out specific operations. This oversight enables authenticated users to manipulate resources without proper authorization, potentially leading to unauthorized modifications or deletions.

Impact

Exploitation of this vulnerability allows authenticated users to interact with and modify resources on behalf of other users, including the deletion of sites and nodes. Additionally, the 'getConfig' endpoint can be accessed to retrieve application configuration data, which may contain sensitive information such as plaintext credentials.

Reproduction

To reproduce this vulnerability, send a request to one of the affected API endpoints, such as 'deleteNode', without including the required authorization checks. This can be done by omitting the 'site_token' parameter or by not validating the token against the user's permissions. The request will be processed, allowing for unauthorized actions to be performed on the user's behalf.

Remediation

Users can update to HAX CMS version 11.0.14 for Node.js or 11.0.9 for PHP, where this vulnerability has been addressed.