Know every vulnerabilitybefore it knows you.
DevGuard continuously monitors your dependencies and alerts you when CVEs like this one affect your stack — with real-time threat intelligence built for developers.
GHSA-g2g8-95qg-v35h
@haxtheweb/haxcms-nodejsSummary
HaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name.
For example, the sanitizer misses:
<a href="#"onclick="alert('kn1ph')">click me</a>
The important bypass is:
href="#"onclick=
The payload is stored in the generated page files and executes when a user clicks the injected link.
Details
The issue is caused by regex-based HTML sanitization that expects whitespace before event handler attributes. Because the sanitizer expects a pattern like:
href="#" onclick="..."
It fails to remove an event handler when it is written without whitespace:
href="#"onclick="..."
Browsers still parse onclick as a valid event handler attribute, so the JavaScript executes when the element is clicked.
Affected endpoint:
POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]
Affected parameter:
node.body
PoC
-
Log in to HaxCMS and edit any existing page.
-
Capture the page save request in Burp Suite:
POST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]
- In the JSON request body, modify only the
node.bodyvalue.
Change:
"body":"...existing page content...\n"
To:
"body":"...existing page content...\n<a href=\"#\"onclick=\"alert('kn1ph')\">click me</a>\n"
-
Forward the request.
-
Open the edited page and click
click me.
Result:
The JavaScript will execute and the alert will pop up.
It was confirmed that the payload is stored in the generated page files, including index.html.
Impact
An authenticated user with permissions to edit the page can inject stored JavaScript into the page content. If a privileged user interacts with the injected element while authenticated, the attacker controlled JavaScript will execute in that user’s browser.
Based on local testing, the XSS can access browser-exposed HaxCMS data such as localStorage.jwt and window.appSettings, including API paths and tokens available to the authenticated user.
This may allow an attacker to perform actions as the victim within the limits of the exposed tokens and the victim’s permissions and possibly chain more vulnerabilities.
The vulnerability can be exploited over the network without needing physical access. It is easy for an attacker to exploit this vulnerability. An attacker needs basic access or low-level privileges. The attacker needs the user to perform some action, like clicking a link. The vulnerability can affect other systems as well, not just the initial system. There is a high impact on the confidentiality of the information. There is a high impact on the integrity of the data.
Exploitation activity has been observed. Apply available patches or mitigations urgently.
Probability that this vulnerability will be exploited in the wild within the next 30 days.
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database.
Browse More
Continuously monitor your dependencies and get alerted when vulnerabilities like this one affect your stack.
Checkout DevGuard