CVE-2025-54128: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in haxtheweb issues
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This is fixed in version 11.0.8.
CVE-2025-54128: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in haxtheweb issues
Description
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This is fixed in version 11.0.8.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-16T23:53:40.509Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 687eaa92a83201eaac1449ab
Added to database: 7/21/2025, 9:01:06 PM
Last updated: 7/21/2025, 9:01:06 PM
Views: 1
Related Threats
CVE-2025-54134: CWE-20: Improper Input Validation in haxtheweb issues
HighCVE-2025-54129: CWE-204: Observable Response Discrepancy in haxtheweb issues
MediumCVE-2025-7939: Unrestricted Upload in jerryshensjf JPACookieShop 蛋糕商城JPA版
MediumCVE-2025-54122: CWE-918: Server-Side Request Forgery (SSRF) in Manager-io Manager
CriticalCVE-2025-54127: CWE-1188: Insecure Default Initialization of Resource in haxtheweb issues
CriticalActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.