CVE-2025-54128
HAX CMS NodeJs's Disabled Content Security Policy Enables Cross-Site Scripting
HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This is fixed in version 11.0.8.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N
Produtos afetados
haxtheweb · issuesQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →