+ "details": "## Summary\n\nHaxCMS is affected by a stored cross-site scripting (XSS) vulnerability in the `/system/api/saveNode` endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name.\n\nFor example, the sanitizer misses:\n\n```html\n<a href=\"#\"onclick=\"alert('kn1ph')\">click me</a>\n```\n\nThe important bypass is:\n\n```html\nhref=\"#\"onclick=\n```\n\nThe payload is stored in the generated page files and executes when a user clicks the injected link.\n\n## Details\n\nThe issue is caused by regex-based HTML sanitization that expects whitespace before event handler attributes. Because the sanitizer expects a pattern like:\n\n```html\nhref=\"#\" onclick=\"...\"\n```\n\nIt fails to remove an event handler when it is written without whitespace:\n\n```html\nhref=\"#\"onclick=\"...\"\n```\n\nBrowsers still parse `onclick` as a valid event handler attribute, so the JavaScript executes when the element is clicked.\n\nAffected endpoint:\n\n```text\nPOST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]\n```\n\nAffected parameter:\n\n```text\nnode.body\n```\n\n## PoC\n\n1. Log in to HaxCMS and edit any existing page.\n\n2. Capture the page save request in Burp Suite:\n\n```text\nPOST /system/api/saveNode?site_token=[VALID_SITE_TOKEN]\n```\n3. In the JSON request body, modify only the `node.body` value.\n\nChange:\n```json\n\"body\":\"...existing page content...\\n\"\n```\nTo:\n```json\n\"body\":\"...existing page content...\\n<a href=\\\"#\\\"onclick=\\\"alert('kn1ph')\\\">click me</a>\\n\"\n```\n\n5. Forward the request.\n\n6. Open the edited page and click `click me`.\n\nResult:\n\nThe JavaScript will execute and the alert will pop up. \n\nIt was confirmed that the payload is stored in the generated page files, including `index.html`.\n\n## Impact\n\nAn authenticated user with permissions to edit the page can inject stored JavaScript into the page content. If a privileged user interacts with the injected element while authenticated, the attacker controlled JavaScript will execute in that user’s browser.\n\nBased on local testing, the XSS can access browser-exposed HaxCMS data such as `localStorage.jwt` and `window.appSettings`, including API paths and tokens available to the authenticated user.\n\nThis may allow an attacker to perform actions as the victim within the limits of the exposed tokens and the victim’s permissions and possibly chain more vulnerabilities.",
0 commit comments