CVE-2025-54139 is a medium severity vulnerability affecting haxtheweb's HAX CMS products, specifically haxcms-nodejs versions 11.0.12 and below and haxcms-php versions 11.0.7 and below. The vulnerability arises because these versions do not implement HTTP headers such as X-Frame-Options or Content-Security-Policy frame-ancestors directives to prevent the application pages from being embedded within iframes on other websites. This lack of frame-busting headers allows an unauthenticated attacker to load sensitive pages, including the standalone login page, within an iframe on a malicious site. By doing so, the attacker can perform a UI redressing attack, commonly known as clickjacking. Clickjacking tricks users into interacting with hidden or disguised UI elements, potentially causing them to perform unintended actions within the HAX CMS environment. Since the vulnerability does not require authentication and can be exploited remotely with low complexity, it poses a risk of social engineering attacks that could lead to unauthorized actions or manipulation of the CMS by tricking legitimate users. The vulnerability affects both the CMS backend and the generated microsites, broadening the attack surface. The issue was resolved in haxcms-nodejs version 11.0.13 and haxcms-php version 11.0.8 by adding appropriate headers to prevent iframe embedding. No known exploits are reported in the wild as of the publication date. The CVSS 3.1 base score is 4.3, reflecting a medium severity level, with no impact on confidentiality or availability but some impact on integrity due to potential unauthorized actions via UI redressing. User interaction is required for exploitation, and the attack scope is limited to users of vulnerable HAX CMS instances.

For European organizations using HAX CMS (NodeJS or PHP versions prior to the fixed releases), this vulnerability could enable attackers to conduct clickjacking attacks that may trick administrators or content managers into performing unintended actions, such as modifying site content, changing configurations, or potentially escalating privileges if combined with other vulnerabilities. While the vulnerability does not directly expose sensitive data or cause service disruption, the integrity of the CMS-managed content and configurations could be compromised. This risk is particularly relevant for organizations relying on HAX CMS for managing multiple microsites or critical web content, including government agencies, educational institutions, and private enterprises. The social engineering aspect means that user training and awareness are also factors in the potential impact. Since the vulnerability is unauthenticated and remotely exploitable, attackers can target users without needing prior access. However, the absence of known exploits in the wild suggests limited active exploitation currently. Nonetheless, the impact could increase if attackers develop automated or targeted clickjacking campaigns against European entities using vulnerable versions.

European organizations should immediately upgrade affected HAX CMS installations to haxcms-nodejs version 11.0.13 or later, or haxcms-php version 11.0.8 or later, where the issue is fixed by adding frame-embedding prevention headers. If immediate upgrade is not feasible, organizations can implement web server or reverse proxy configurations to add X-Frame-Options: DENY or Content-Security-Policy frame-ancestors directives to all HAX CMS pages and generated microsites to block iframe embedding. Additionally, organizations should conduct user awareness training to recognize and avoid social engineering attempts involving clickjacking. Regular security assessments and penetration testing should include checks for UI redressing vulnerabilities. Monitoring web traffic for suspicious referrer headers or iframe embedding attempts can help detect exploitation attempts. Finally, applying Content Security Policy (CSP) with frame-ancestors restrictions site-wide is a robust defense that should be part of the security posture.