CVE-2025-54128 is a high-severity cross-site scripting (XSS) vulnerability affecting the NodeJS version of HAX CMS, specifically versions 11.0.7 and below. HAX CMS is a content management system designed to manage microsite universes with a NodeJS backend. The vulnerability arises because the Content Security Policy (CSP) is explicitly disabled in the application's Helmet middleware configuration (in app.js). Helmet is a widely used NodeJS middleware that helps secure applications by setting various HTTP headers, including CSP, which is critical for mitigating XSS attacks. By disabling CSP, the application fails to enforce restrictions on the sources of executable scripts, allowing attackers to inject malicious scripts into web pages generated by the CMS. This improper neutralization of input during web page generation corresponds to CWE-79, a common and dangerous web vulnerability. The CVSS 4.0 base score of 7.2 reflects a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:P). The vulnerability impacts confidentiality, integrity, and availability to varying degrees, with high impact on availability and moderate impact on confidentiality and integrity. The vulnerability is fixed in version 11.0.8 of HAX CMS. There are no known exploits in the wild at the time of publication, but the lack of CSP enforcement makes exploitation feasible, especially in scenarios where user input is reflected or stored and rendered without proper sanitization. The vulnerability affects all deployments of HAX CMS NodeJS backend running versions prior to 11.0.8 that have CSP disabled, which is insecure for production environments.

For European organizations using HAX CMS NodeJS backend versions below 11.0.8, this vulnerability poses a significant risk. An attacker could exploit the missing CSP to execute arbitrary JavaScript in the context of users' browsers, leading to session hijacking, credential theft, unauthorized actions on behalf of users, or distribution of malware. This can compromise the confidentiality of sensitive data managed by the microsites, degrade the integrity of content, and potentially disrupt availability through malicious scripts. Organizations in sectors such as government, finance, healthcare, and media that rely on HAX CMS for microsite management are particularly at risk due to the sensitive nature of their data and regulatory requirements like GDPR. Exploitation could lead to data breaches, reputational damage, regulatory fines, and loss of user trust. The requirement for user interaction (UI:P) means phishing or social engineering may be used to lure victims, increasing the attack surface. The absence of known exploits currently provides a window for mitigation, but the vulnerability's nature and ease of exploitation warrant urgent attention.

European organizations should immediately upgrade HAX CMS to version 11.0.8 or later, where the CSP is properly enabled and configured. In addition to upgrading, organizations should: 1) Review and enforce strict Content Security Policies tailored to their microsite content to restrict script sources and prevent inline script execution. 2) Conduct thorough input validation and output encoding to prevent injection of malicious scripts, even with CSP in place. 3) Use security headers beyond CSP, such as X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security, to harden the web application. 4) Perform security audits and penetration testing focusing on XSS vectors to identify any residual vulnerabilities. 5) Educate users and administrators about phishing risks and safe browsing practices to mitigate social engineering exploitation. 6) Monitor web traffic and logs for suspicious activities indicative of attempted XSS exploitation. 7) If immediate upgrade is not feasible, consider implementing a reverse proxy or Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the affected endpoints. These steps go beyond generic advice by emphasizing CSP configuration, layered defenses, and user awareness specific to the HAX CMS environment.