CVE-2025-54139: CWE-1021: Improper Restriction of Rendered UI Layers or Frames in haxtheweb issues
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.
CVE-2025-54139: CWE-1021: Improper Restriction of Rendered UI Layers or Frames in haxtheweb issues
Description
HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-16T23:53:40.510Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6880207ca915ff00f7fc971c
Added to database: 7/22/2025, 11:36:28 PM
Last updated: 7/22/2025, 11:36:28 PM
Views: 1
Related Threats
CVE-2025-43485: CWE-532 Insertion of Sensitive Information into Log File in HP Inc. Poly Clariti Manager
MediumCVE-2025-43484: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Clariti Manager
MediumCVE-2025-43483: CWE-321: Use of Hard-coded Cryptographic Key in HP Inc. Poly Clariti Manager
MediumCVE-2025-43488: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in HP Inc. Poly Clariti Manager
LowCVE-2025-43487: CWE-250: Execution with Unnecessary Privileges in HP Inc. Poly Clariti Manager
MediumActions
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.