{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54378", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-21T16:12:20.733Z", "datePublished": "2025-07-26T03:27:34.305Z", "dateUpdated": "2025-07-28T19:01:27.428Z"}, "containers": {"cna": {"title": "HAX CMS Backend Lacks Comprehensive Authorization Checks", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"}, {"name": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969", "tags": ["x_refsource_MISC"], "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"}, {"name": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd", "tags": ["x_refsource_MISC"], "url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"}], "affected": [{"vendor": "haxtheweb", "product": "issues", "versions": [{"version": "< 11.0.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-26T03:27:34.305Z"}, "descriptions": [{"lang": "en", "value": "HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php."}], "source": {"advisory": "GHSA-9jr9-8ff3-m894", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T19:01:21.403243Z", "id": "CVE-2025-54378", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T19:01:27.428Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54378", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-28T19:01:21.403243Z"}}}], "references": [{"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T19:01:15.163Z"}}], "cna": {"title": "HAX CMS Backend Lacks Comprehensive Authorization Checks", "source": {"advisory": "GHSA-9jr9-8ff3-m894", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "haxtheweb", "product": "issues", "versions": [{"status": "affected", "version": "< 11.0.14"}]}], "references": [{"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894", "name": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969", "name": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd", "name": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-26T03:27:34.305Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54378", "state": "PUBLISHED", "dateUpdated": "2025-07-28T19:01:27.428Z", "dateReserved": "2025-07-21T16:12:20.733Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-26T03:27:34.305Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:psu:haxcms-nodejs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "3129AEF5-B4C5-4694-AE1F-9A402890B1E5", "versionEndExcluding": "11.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:psu:haxcms-php:*:*:*:*:*:*:*:*", "matchCriteriaId": "1A74B72F-D438-44F9-9A3D-53CE9D8487A4", "versionEndExcluding": "11.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php."}, {"lang": "es", "value": "HAX CMS permite gestionar el universo de micrositios con backends PHP o NodeJs. En las versiones 11.0.13 y anteriores de haxcms-nodejs y 11.0.8 y anteriores de haxcms-php, los endpoints de la API no realizan comprobaciones de autorizaci\u00f3n al interactuar con un recurso. Tanto la versi\u00f3n JS como la PHP del CMS no verifican que un usuario tenga permiso para interactuar con un recurso antes de realizar una operaci\u00f3n. Los endpoints de la API dentro de la aplicaci\u00f3n HAX CMS comprueban si un usuario est\u00e1 autenticado, pero no comprueban la autorizaci\u00f3n antes de realizar una operaci\u00f3n. Esto se ha corregido en las versiones 11.0.14 de haxcms-nodejs y 11.0.9 de haxcms-php."}], "id": "CVE-2025-54378", "lastModified": "2025-08-21T20:54:52.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-26T04:16:05.967", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/haxtheweb/haxcms-nodejs/commit/5826e9b7f3d8c7c7635411768b86b199fad36969"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/haxtheweb/haxcms-php/commit/24d30222481ada037597c4d7c0a51a1ef7af6cfd"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-9jr9-8ff3-m894"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-28T12:45:50.900477+00:00", "updated": "2025-07-28T12:45:50.900548+00:00", "vendors": ["haxtheweb", "haxtheweb$PRODUCT$haxcms-nodejs", "haxtheweb$PRODUCT$haxcms-php"]}