@haxtheweb/haxcms-nodejs 11.0.6 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @haxtheweb/haxcms-nodejs package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Authorization @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Improper Authorization in the API endpoints, which do not verify user permissions before performing operations. An attacker can gain unauthorized access to resources or perform actions beyond their intended privileges by sending crafted requests to the affected endpoints. How to fix Improper Authorization? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.14 or higher.	<11.0.14
C Insecure Default Initialization of Resource @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default settings that disable authentication and authorization checks. An attacker can gain unauthorized access to, modify, or delete all site information by sending unauthenticated requests to the application. This is only exploitable if the default configuration is used without enabling authentication. How to fix Insecure Default Initialization of Resource? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.7 or higher.	<11.0.7
H Cross-site Scripting (XSS) @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the `contentSecurityPolicy` being explicitly disabled in the application's `Helmet` configuration within `app.js`. An attacker can execute arbitrary scripts in the context of a user's browser by injecting malicious content. How to fix Cross-site Scripting (XSS)? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.8 or higher.	<11.0.8
H Improper Input Validation @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Improper Input Validation via the `listFiles` and `saveFiles` endpoints when required URL parameters are missing. An attacker can cause the application to crash by sending API requests without the necessary parameters. How to fix Improper Input Validation? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.9 or higher.	<11.0.9
M Use of Default Credentials @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Use of Default Credentials via the `HAXCMSClass` in the `HAXCMS.js` file. An attacker can gain unauthorized access to self-hosted instances, modify site content, and perform further attacks by obtaining these secrets from public repositories. Note: This is exploitable if the instance is deployed without changing the default credentials or secrets. How to fix Use of Default Credentials? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.10 or higher.	<11.0.10
M Improper Restriction of Rendered UI Layers or Frames @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames via the lack of appropriate headers to prevent loading within an iframe. An attacker can trick users into performing unintended actions by embedding sensitive pages such as the standalone login page or other critical functionality within an iframe on a malicious site. How to fix Improper Restriction of Rendered UI Layers or Frames? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.13 or higher.	<11.0.13

Vulnerability

Vulnerable Version

Improper Authorization

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Improper Authorization in the API endpoints, which do not verify user permissions before performing operations. An attacker can gain unauthorized access to resources or perform actions beyond their intended privileges by sending crafted requests to the affected endpoints.

How to fix Improper Authorization?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.14 or higher.

<11.0.14

Insecure Default Initialization of Resource

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Insecure Default Initialization of Resource due to insecure default settings that disable authentication and authorization checks. An attacker can gain unauthorized access to, modify, or delete all site information by sending unauthenticated requests to the application. This is only exploitable if the default configuration is used without enabling authentication.

How to fix Insecure Default Initialization of Resource?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.7 or higher.

<11.0.7

Cross-site Scripting (XSS)

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the contentSecurityPolicy being explicitly disabled in the application's Helmet configuration within app.js. An attacker can execute arbitrary scripts in the context of a user's browser by injecting malicious content.

How to fix Cross-site Scripting (XSS)?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.8 or higher.

<11.0.8

Improper Input Validation

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Improper Input Validation via the listFiles and saveFiles endpoints when required URL parameters are missing. An attacker can cause the application to crash by sending API requests without the necessary parameters.

How to fix Improper Input Validation?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.9 or higher.

<11.0.9

Use of Default Credentials

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Use of Default Credentials via the HAXCMSClass in the HAXCMS.js file. An attacker can gain unauthorized access to self-hosted instances, modify site content, and perform further attacks by obtaining these secrets from public repositories.

Note: This is exploitable if the instance is deployed without changing the default credentials or secrets.

How to fix Use of Default Credentials?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.10 or higher.

<11.0.10

Improper Restriction of Rendered UI Layers or Frames

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames via the lack of appropriate headers to prevent loading within an iframe. An attacker can trick users into performing unintended actions by embedding sensitive pages such as the standalone login page or other critical functionality within an iframe on a malicious site.

How to fix Improper Restriction of Rendered UI Layers or Frames?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.13 or higher.

<11.0.13

@haxtheweb/haxcms-nodejs@11.0.6 vulnerabilities

HAXcms single and multisite nodejs server, api, and administration

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?