logo

Database

Clickjacking In @haxtheweb/haxcms-nodejs

Description

@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability

Summary

In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL.

Affected Resources

PoC

    Set the URL in an iframe pointing to an attacker-controlled server running Responder

image

    Once another user visits the site, they are prompted to sign in.

image

    If a user inputs credentials, the username and password hash are outputted in Responder.

image

Impact

An authenticated attacker can create a HAX site with a website block pointing at an attacker-controlled server running Responder or a similar tool. The attacker can then conduct a phishing attack by convincing another user to visit their malicious HAX site to harvest credentials.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-491392. NVD-2025-491393. OSV-2025-491394. GHSA-v3ph-2q5q-cg885. GCVE-2025-49139

References

1. https://github.com/haxtheweb/issues/security/advisories/GHSA-v3ph-2q5q-cg882. https://github.com/haxtheweb/haxcms-nodejs/commit/5368eb9b278ca47cd9a83b8d3e6216375615b8f5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.