Summary The NodeJS version of HAX CMS uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. Details If a user were to deploy haxcms-nodejs without modifying the default settings, ‘HAXCMS_DISABLE_JWT_CHECKS‘ would be set to ‘true‘ and their deployment would lack session authentication. Affected Resources package.json:13 PoC To reproduce this vulnerability, install HAX CMS NodeJS. The application will load without JWT checks enabled. Impact Without security checks in place, an unauthenticated remote attacker could access, modify, and delete all site…Read More
GHSA-F38F-JVQJ-MFG6 NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
