Server side cross-site scripting In @haxtheweb/video-player
Description
Stored XSS via in HAX CMS allows access to sensitive client-side data and account takeover
Summary
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of <iframe> elements.
The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the context of the victim’s browser and access sensitive data exposed to client-side scripts.
Details
Successful exploitation allows access to any data available in the browser context, including:
Authentication tokens (e.g., JWT)
Session cookies (if not protected with HttpOnly)
Application configuration (e.g., window.appSettings)
User-specific data accessible via APIs
This significantly increases the impact beyond simple script execution.
PoC
Steps to reproduce:
Log in to HAX CMS as any authenticated user.
Create a new page or edit an existing page.
Open the HTML source editor (<>).
Insert the following payload:
<iframe srcdoc="<script> (function(){ try { var jwt = parent.window.appSettings.jwt; alert('Stolen JWT:\n' + jwt); } catch(e) { alert('Error: ' + e.message); }...
Impact
This vulnerability allows stored XSS leading to:
Execution of arbitrary JavaScript in victim browsers
Access to sensitive client-side data, including authentication tokens and session identifiers
Unauthorized API actions performed on behalf of the victim
Session hijacking and full account takeover
Because the application exposes authentication data in the client-side environment, exploitation of this vulnerability can lead to complete compromise of user accounts and site content.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 26.0.0 | ||
npm | 26.0.0 | ||
npm | 26.0.0 |
Aliases
References