HAX CMS application pages vulnerable to clickjacking

GHSA-54vw-f4xf-f92j · CVE-2025-54139

Published Jul 21, 2025 · Modified Jul 23, 2025

Description

Summary

All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites.

PoC

To replicate this vulnerability, load the target page in an iframe and observe the rendered content.

Impact

An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (Clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application.

References

WEB https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-54139
WEB https://github.com/haxtheweb/haxcms-nodejs/commit/777f9a7ff9675a160496f350d766df1f1f9b9b99
WEB https://github.com/haxtheweb/haxcms-php/commit/708dc8518928fe307044e67bff8b0f397cfdd606
PACKAGE https://github.com/haxtheweb/issues

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes