HIGH🇬🇧 English

CVE-2025-49141

CVSS 8.5v3.1pub. 2025-06-09upd. 2025-07-30

HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the `gitImportSite` functionality obtains a URL string from a POST request and insufficiently validates user input. The `set_remote` function later passes this input into `proc_open`, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by the `filter_var` and `strpos` functions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Psu Haxcms Node.js

    APP
    Psu
    < 11.0.3
  • Psu Haxcms PHP

    APP
    Psu
    < 11.0.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Command Injection
CWE
Referencje

Powiązane podatności

CVE-2025-54127CRITICAL9.3PL ✓ten sam produkt

HAXcms Node.js — brak uwierzytelnienia przez niebezpieczną konfigurację domyślną

CVE-2025-32028CRITICAL9.9PL ✓ten sam produkt

HAX CMS PHP — nierestrykcyjny upload plików (obejście denylisty)

CVE-2026-22704HIGH8.0ten sam produkt

HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX ...

CVE-2025-54378HIGH8.3ten sam produkt

HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and belo...

CVE-2025-54137HIGH7.3ten sam produkt

HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and belo...