@haxtheweb/haxcms-nodejs 9.0.11 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the @haxtheweb/haxcms-nodejs package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Command Injection @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Command Injection through the `gitImportSite` functionality which obtains and processes a URL string from a POST request. An attacker can execute arbitrary OS commands on the backend server by crafting a URL that bypasses the insufficient validation checks employed by the `filter_var` and `strpos` functions. How to fix Command Injection? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.3 or higher.	<11.0.3
M Improper Restriction of Rendered UI Layers or Frames @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames through the iframe URL parameter. An attacker can manipulate the iframe to point to a malicious site designed to capture user credentials by convincing a user to input their login details. How to fix Improper Restriction of Rendered UI Layers or Frames? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.0 or higher.	<11.0.0
H Cross-site Scripting (XSS) @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `saveNode` and `saveManifest` endpoints. An attacker can execute arbitrary JavaScript code by inserting malicious payloads into the JSON schema, which are then rendered on the site. How to fix Cross-site Scripting (XSS)? Upgrade `@haxtheweb/haxcms-nodejs` to version 11.0.0 or higher.	<11.0.0

Vulnerability

Vulnerable Version

Command Injection

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Command Injection through the gitImportSite functionality which obtains and processes a URL string from a POST request. An attacker can execute arbitrary OS commands on the backend server by crafting a URL that bypasses the insufficient validation checks employed by the filter_var and strpos functions.

How to fix Command Injection?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.3 or higher.

<11.0.3

Improper Restriction of Rendered UI Layers or Frames

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Improper Restriction of Rendered UI Layers or Frames through the iframe URL parameter. An attacker can manipulate the iframe to point to a malicious site designed to capture user credentials by convincing a user to input their login details.

How to fix Improper Restriction of Rendered UI Layers or Frames?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.0 or higher.

<11.0.0

Cross-site Scripting (XSS)

@haxtheweb/haxcms-nodejs is a HAXcms nodejs backend

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the saveNode and saveManifest endpoints. An attacker can execute arbitrary JavaScript code by inserting malicious payloads into the JSON schema, which are then rendered on the site.

How to fix Cross-site Scripting (XSS)?

Upgrade @haxtheweb/haxcms-nodejs to version 11.0.0 or higher.

<11.0.0

@haxtheweb/haxcms-nodejs@9.0.11 vulnerabilities

HAXcms single and multisite nodejs server, api, and administration

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?