Description
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an attack chain utilizing Stored XSS alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the `jwt`, `user_token`, `site_token`, and `appstore_token`) into a global JavaScript variable (`window.appSettings`). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook. Version 26.0.0 patches the issue.
Problem types
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-522: Insufficiently Protected Credentials
CWE-922: Insecure Storage of Sensitive Information
Product status
References
github.com/...issues/security/advisories/GHSA-x3x5-7h4h-gwxg
github.com/...issues/security/advisories/GHSA-x3x5-7h4h-gwxg