SCA: security update for @haxtheweb/haxcms-nodejs, elmsln/haxcms (GHSA-54vw-f4xf-f92j)

medium Tenable Cloud Security Plugin ID 428595

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs
versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS
application do not contain headers to prevent other websites from loading the site within an iframe. This
applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login
page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking).
This can be used to perform social engineering attacks to attempt to coerce users into performing
unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and
haxcms-php 11.0.8. (CVE-2025-54139)

See Also

https://github.com/advisories/GHSA-54vw-f4xf-f92j

Plugin Details

Severity: Medium

ID: 428595

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 7/22/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-54139

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/21/2025

Vulnerability Publication Date: 7/21/2025

Reference Information

CVE: CVE-2025-54139