Login Sign Up

CVE-2025-54139

4.3 MEDIUM

📋 TL;DR

HAX CMS versions 11.0.12 and below (NodeJS) and 11.0.7 and below (PHP) lack X-Frame-Options headers, allowing attackers to embed the CMS login page and other sensitive interfaces in iframes. This enables clickjacking attacks where users can be tricked into performing unintended actions. All HAX CMS deployments using vulnerable versions are affected.

💻 Affected Systems

Products:
  • haxcms-nodejs
  • haxcms-php
Versions: haxcms-nodejs ≤ 11.0.12, haxcms-php ≤ 11.0.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both CMS backend and generated sites. No authentication required for exploitation.

📦 What is this software?

Haxcms Nodejs by Psu

View all CVEs affecting Haxcms Nodejs →

Haxcms Php by Psu

View all CVEs affecting Haxcms Php →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could embed the login page in malicious sites, tricking users into entering credentials or performing administrative actions through social engineering.

🟠

Likely Case

Clickjacking attacks leading to unauthorized actions like content modification, user impersonation, or data exposure through manipulated interfaces.

🟢

If Mitigated

With proper headers, the site cannot be loaded in iframes, preventing clickjacking entirely.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires user interaction but is straightforward to implement with basic web development skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: haxcms-nodejs 11.0.13, haxcms-php 11.0.8

Vendor Advisory: https://github.com/haxtheweb/issues/security/advisories/GHSA-54vw-f4xf-f92j

Restart Required: Yes

Instructions:

1. Update haxcms-nodejs to version 11.0.13 or haxcms-php to version 11.0.8. 2. Restart the CMS service. 3. Verify headers are present.

🔧 Temporary Workarounds

Add X-Frame-Options Header

all

Manually configure web server to add X-Frame-Options: DENY or SAMEORIGIN header

For Apache: Header always set X-Frame-Options "DENY"
For Nginx: add_header X-Frame-Options "DENY" always;

Content Security Policy Frame Ancestors

all

Implement CSP frame-ancestors directive to restrict framing

Content-Security-Policy: frame-ancestors 'self';

🧯 If You Can't Patch

  • Implement web application firewall rules to add X-Frame-Options headers
  • Use browser security extensions to block iframe loading of sensitive pages

🔍 How to Verify

Check if Vulnerable:

Use browser developer tools to check HTTP response headers for X-Frame-Options or Content-Security-Policy with frame-ancestors

Check Version:

Check package.json for haxcms-nodejs or composer.json for haxcms-php version

Verify Fix Applied:

Confirm X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'self' headers are present

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from unexpected referrers
  • Unusual iframe-related errors

Network Indicators:

  • HTTP requests with missing X-Frame-Options headers

SIEM Query:

http.response.headers !contains "X-Frame-Options" AND uri.path contains "login"

📊 Metadata

CVE ID: CVE-2025-54139
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-1021
EPSS Score: 0.07% exploit probability (21.5th percentile)
Published: July 23, 2025
Last Updated: August 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54139, you might also want to check these:

CVE-2021-23274 9.8

This CVE describes a clickjacking vulnerability in TIBCO API Exchange Gateway's Config UI component ...

Same vulnerability type (CWE-1021)
CVE-2021-21132 9.6

This vulnerability in Chrome DevTools allowed malicious Chrome extensions to escape the browser's se...

Same vulnerability type (CWE-1021)
CVE-2024-10004 9.1

This vulnerability in Firefox for iOS causes the browser to incorrectly display an HTTPS padlock ico...

Same vulnerability type (CWE-1021)