CVE-2025-49141
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-49141
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49141.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-49141
- Aliases
- Related
- Published
- 2025-06-09T21:15:47Z
- Modified
- 2025-06-12T17:01:56.406608Z
- Summary
- [none]
- Details
-
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.3, the
gitImportSitefunctionality obtains a URL string from a POST request and insufficiently validates user input. Theset_remotefunction later passes this input intoproc_open, yielding OS command injection. An authenticated attacker can craft a URL string that bypasses the validation checks employed by thefilter_varandstrposfunctions in order to execute arbitrary OS commands on the backend server. The attacker can exfiltrate command output via an HTTP request. Version 11.0.3 contains a patch for the issue. - References
Affected packages
Git / github.com/haxtheweb/haxcms-nodejs
Affected ranges
- Type
- GIT
- Repo
- https://github.com/haxtheweb/haxcms-nodejs
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
10.*
10.0.0
v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v10.*
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v11.*
v11.0.0
v11.0.1
v11.0.2
v9.*
v9.0.0
v9.0.0-alpha.0
v9.0.0-alpha.1
v9.0.1
v9.0.10
v9.0.11
v9.0.12
v9.0.13
v9.0.14
v9.0.15
v9.0.16
v9.0.17
v9.0.18
v9.0.19
v9.0.2
v9.0.20
v9.0.21
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.0.7
v9.0.8
v9.0.9