CVE Alert: CVE-2025-48996
Vulnerability Summary: CVE-2025-48996
HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the `haxPsuUsage` API endpoint, related to a flat present in open-apis versions up to and including 10.0.2. This allows any remote unauthenticated user to retrieve a full list of PSU websites hosted on HAX CMS. When chained with other authorization issues (e.g., HAX-3), this could assist in targeted attacks such as unauthorized content modification or deletion. Commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7 patches the vulnerability.
Affected Endpoints:
No affected endpoints listed.
Published Date:
6/2/2025, 8:15:23 PM
⚠️ CVSS Score:
Exploit Status:
Not ExploitedReferences:
- https://github.com/haxtheweb/issues/security/advisories/GHSA-fvx2-x7ff-fc56
- https://github.com/haxtheweb/open-apis/commit/06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
