CVE-2025-49139
MEDIUM EPSS 24.2%
Published Jun 9, 20251y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Published Jun 9, 2025 1y ago
Last Modified Jun 17, 2026 1w ago
Description
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, in the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials. Version 11.0.0 contains a patch for the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
24.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-1021
Affected Products 2
References 2
- github.com https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5
- github.com https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg88
Remediation
- github.com https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5