HAX CMS Stored Cross-Site Scripting Vulnerability in saveNode Endpoint

A stored cross-site scripting vulnerability has been identified in HAX CMS versions up to and including 26.0.0. The issue resides in the '/system/api/saveNode' endpoint, where an authenticated user with page editing permissions can bypass the HTML sanitizer. This is achieved by injecting an event handler attribute without a preceding whitespace, allowing malicious JavaScript to be executed when the injected link is clicked.

Impact

Exploitation of this vulnerability allows authenticated users with page editing rights to inject JavaScript that is executed in the context of the user viewing the page. This could lead to unauthorized actions being performed on behalf of the user, using their permissions and access tokens.

Reproduction

To reproduce this vulnerability, log into HAX CMS and edit a page. Capture the save request using a tool like Burp Suite. In the request body, modify the 'node.body' parameter to include an event handler attribute, such as 'onclick', without any whitespace before it. Once the request is forwarded, the injected JavaScript will execute when the edited page is viewed and the link is clicked.

Remediation

Users can update to @haxtheweb/haxcms-nodejs version 26.0.1 or haxcms-php version 26.0.2 to address this vulnerability.