Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01NHZ3LWY0eGYtZjkyas4ABKWO

Moderate EPSS: 0.00039% (0.10763 Percentile) EPSS:
Permalink JSON

HAX CMS application pages vulnerable to clickjacking

Affected Packages Affected Versions Fixed Versions
packagist:elmsln/haxcms < 11.0.8 11.0.8
0 Dependent packages
0 Dependent repositories
5 Downloads total

Affected Version Ranges

All affected versions

0.0.1, 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.12.3

All unaffected versions
npm:@haxtheweb/haxcms-nodejs < 11.0.13 11.0.13
0 Dependent packages
0 Dependent repositories
2,215 Downloads last month

Affected Version Ranges

All affected versions

0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11, 0.0.12, 0.0.13, 0.0.14, 0.0.15, 0.0.16, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 10.0.0, 10.0.1, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12

All unaffected versions

11.0.13, 11.0.14, 11.0.15

Summary

All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites.

PoC

To replicate this vulnerability, load the target page in an iframe and observe the rendered content.

image

Impact

An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (Clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application.

References:

Identifiers

GHSA-54vw-f4xf-f92j

CVE-2025-54139

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00039

EPSS Percentile: 0.10763

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/haxtheweb/issues

Date and time

Published

9 days ago

Updated

8 days ago

API

JSON