{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/haxcms-nodejs--25.0.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["haxcms-nodejs (\u003c= 25.0.0)"],"_cs_severities":["critical"],"_cs_tags":["haxcms","xss","account-takeover"],"_cs_type":"advisory","_cs_vendors":["HAXtheWeb"],"content_html":"\u003cp\u003eHAXcms is vulnerable to a critical account takeover vulnerability stemming from a combination of stored XSS and insecure token handling. The vulnerability, present in versions 25.0.0 and earlier, allows an authenticated attacker to inject malicious JavaScript code into a page that, when viewed by another user, exfiltrates that user\u0026rsquo;s authentication tokens. The \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint dynamically leaks sensitive tokens into a global JavaScript variable (\u003ccode\u003ewindow.appSettings\u003c/code\u003e), which can be accessed and stolen via XSS. This vulnerability allows for complete cross-tenant account hijacking, enabling attackers to perform administrative actions without needing the victim\u0026rsquo;s password.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the HAXcms application with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious JavaScript code via a stored XSS vulnerability, such as within an iframe\u0026rsquo;s \u003ccode\u003esrcdoc\u003c/code\u003e or through a \u003ccode\u003e\u0026lt;video-player\u0026gt;\u003c/code\u003e tag, on a page they have write access to.\u003c/li\u003e\n\u003cli\u003eThe victim user views the compromised page.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes in the victim\u0026rsquo;s browser context.\u003c/li\u003e\n\u003cli\u003eThe JavaScript fetches the victim\u0026rsquo;s connection settings via \u003ccode\u003efetch('/\u0026lt;username\u0026gt;/system/api/connectionSettings')\u003c/code\u003e, which includes the victim\u0026rsquo;s valid JWT and tokens.\u003c/li\u003e\n\u003cli\u003eThe JavaScript parses the \u003ccode\u003ejwt\u003c/code\u003e, \u003ccode\u003euser_token\u003c/code\u003e, \u003ccode\u003esite_token\u003c/code\u003e, and \u003ccode\u003eappstore_token\u003c/code\u003e from the response.\u003c/li\u003e\n\u003cli\u003eThe JavaScript encodes the stolen tokens (including \u003ccode\u003ejwt\u003c/code\u003e, \u003ccode\u003euser_token\u003c/code\u003e, \u003ccode\u003esite_token\u003c/code\u003e, and \u003ccode\u003eappstore_token\u003c/code\u003e) using Base64 encoding.\u003c/li\u003e\n\u003cli\u003eThe JavaScript exfiltrates the encoded tokens to an attacker-controlled webhook using an image request to bypass CORS. The attacker now has the ability to impersonate the victim and perform administrative actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for complete account hijacking. An attacker who successfully exploits this vulnerability can impersonate a victim user without needing their password. This gives the attacker the ability to perform malicious administrative actions, such as creating or deleting sites, modifying user access, and uploading malicious content. The reliance on \u003ccode\u003ewindow.appSettings\u003c/code\u003e for storing long-lived administrative tokens creates a critical vulnerability when combined with XSS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HAXcms Connection Settings Request\u003c/code\u003e to detect requests to the \u003ccode\u003e/system/api/connectionSettings\u003c/code\u003e endpoint from unusual sources, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect HAXcms Token Exfiltration via Webhook\u003c/code\u003e to detect attempts to exfiltrate the tokens to external webhooks.\u003c/li\u003e\n\u003cli\u003eEnsure that all HAXcms instances are updated to a patched version that addresses this vulnerability to prevent CVE-2026-46511 exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T14:48:29Z","date_published":"2026-05-19T14:48:29Z","id":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-token-exfil/","summary":"HAXcms is vulnerable to stored XSS and exposes authentication tokens in the `/system/api/connectionSettings` endpoint, allowing an attacker to perform cross-tenant account takeover by injecting malicious JavaScript to steal the `jwt`, `user_token`, `site_token`, and `appstore_token`.","title":"HAXcms Cross-Tenant Account Takeover via Stored XSS and Token Exposure","url":"https://feed.craftedsignal.io/briefs/2026-05-haxcms-token-exfil/"}],"language":"en","title":"CraftedSignal Threat Feed — Haxcms-Nodejs (\u003c= 25.0.0)","version":"https://jsonfeed.org/version/1.1"}