We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-48996

Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint



Description

HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the `haxPsuUsage` API endpoint, related to a flat present in open-apis versions up to and including 10.0.2. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion. Commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7 patches the vulnerability.

Reserved 2025-05-29 | Published 2025-06-02 | Updated 2025-06-03 | Assigner GitHub_M


MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-201: Insertion of Sensitive Information Into Sent Data

Product status

<= 10.0.2
affected

References

github.com/...issues/security/advisories/GHSA-fvx2-x7ff-fc56

github.com/...ommit/06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7

cve.org (CVE-2025-48996)

nvd.nist.gov (CVE-2025-48996)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-48996

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.