Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary

A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of <iframe> elements.

The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.

Details

Successful exploitation allows access to any data available in the browser context, including:

• Authentication tokens (e.g., JWT)
• Session cookies (if not protected with HttpOnly)
• Application configuration (e.g., window.appSettings)
• User-specific data accessible via APIs

This significantly increases the impact beyond simple script execution.

PoC

Steps to reproduce:

1. Log in to HAX CMS as any authenticated user.
2. Create a new page or edit an existing page.
3. Open the HTML source editor (<>).
4. Insert the following payload:

<iframe srcdoc="&lt;script&gt;
    (function(){
        try {
            var jwt = parent.window.appSettings.jwt;
            alert('Stolen JWT:\n' + jwt);
        } catch(e) {
            alert('Error: ' + e.message);
        }
    })();
&lt;/script&gt;" style="display:none" sandbox="allow-scripts allow-same-origin"></iframe>

Impact

This vulnerability allows stored XSS leading to:

• Execution of arbitrary JavaScript in victim browsers
• Access to sensitive client-side data, including authentication tokens and session identifiers
• Unauthorized API actions performed on behalf of the victim
• Session hijacking and full account takeover

Because the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.