HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
Description
Summary
An attack chain utilizing Stored XSS alongside dynamic token exposure in the /system/api/connectionSettings endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including the jwt, user_token, site_token, and appstore_token) into a global JavaScript variable (window.appSettings). An attacker can exploit the XSS vulnerability to force a victim's browser to silently fetch their specific connection settings, extract the tokens, and exfiltrate them to an attacker-controlled webhook.
Details
In Operations.php (connectionSettings()), the system returns a Javascript object designed to bootstrap the frontend context. This object, window.appSettings, acts as a "skeleton key" because it aggregates all necessary operational tokens for the active session.
While HAXcms correctly relies on the cryptographically signed JWT for backend authentication (preventing Direct Object Reference/IDOR attempts), the CMS fails to secure the tokens themselves. Specifically: 1. The Vector: The system is vulnerable to Stored XSS (e.g., via injected iframe srcdoc or `). 2. **The Exposure**: Because the connectionSettings endpoint serves the tokens locally based on the active PHPSESSID cookie, any malicious script running in the browser context can intercept these keys. 3. **The Chain**: HAXcms isolates user environments by URL path (//). An attacker can use XSS to force the victim's browser to fetch their *target* username's specific settings via fetch('//system/api/connectionSettings')`. Since the browser implicitly attaches the victim's session cookie, the server authenticates the request and returns the victim's valid JWT and tokens.
PoC
1. Setup the Webhook Target Prepare an external webhook (e.g., webhook.site) to receive the stolen data.
2. Inject the "Kill Chain" Payload As an authenticated attacker (e.g., having edit access to any site), inject the following Javascript via the verified Stored XSS vectors (such as checking the HTML Source of a page and writing an ``):
3. Execution & Verification - When the victim (e.g., user bto108) views the compromised page, their browser automatically fires the fetch request, silently attaching their active session cookie. - The server responds with their connection settings. - The script parses their jwt, user_token, and other keys, encoding them in base64. - The attacker receives the full JWT and token dump on their webhook.
*Screenshots confirming the data leakage and webhook capture:* !Connection Settings Exposure !Secondary Settings Leak !Cross-tenant Exfiltration Console !Webhook Payload Capture !Stolen Data Result
Impact
Critical Severity. This attack completely compromises the primary defense mechanism of the CMS. By stealing the jwt and user_token, the attacker achieves total account hijacking without needing the victim's password. They can emulate the victim perfectly, bypassing standard interface restrictions to perform malicious administrative actions (creating/deleting sites, modifying user access, or uploading malicious content).
The reliance on a global Javascript variable (window.appSettings) to store long-lived administrative security tokens creates a devastating chokepoint when combined with XSS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS combined with token exposure in the connectionSettings endpoint enables cross-tenant account takeover in HAXcms.
Vulnerability
HAXcms is vulnerable to a stored cross-site scripting (XSS) attack chain that, when combined with dynamic token leakage from the /system/api/connectionSettings endpoint, enables cross-tenant account takeover. The connectionSettings() function in Operations.php exposes the active session's authentication tokens (jwt, user_token, site_token, and appstore_token) inside the global JavaScript variable window.appSettings. The endpoint is accessible to any authenticated user based on their PHPSESSID cookie. Affected versions include HAXcms releases prior to the fix [2][3].
Exploitation
An authenticated attacker with edit access to any site can inject a persistent XSS payload (e.g., via iframe srcdoc or `) [2]. This script, running in the victim's browser, performs a fetch to the target user's path (/victim-username/system/api/connectionSettings). Because the victim's browser automatically sends the victim's PHPSESSID cookie, the server returns the victim's window.appSettings` object containing their tokens. The script then exfiltrates these tokens to an attacker-controlled webhook [2][3].
Impact
A successful attack allows the attacker to obtain the victim's complete set of authentication tokens, including the cryptographically signed JWT. With these tokens, the attacker can impersonate the victim across tenants, effectively achieving a full account takeover. The scope of compromise includes all actions the victim can perform within HAXcms [1][2].
Mitigation
As of the advisory publication date (2026-05-19), a fix has not been released publicly. The issue is tracked in the HAXcms issue queue [1] and the GitHub Security Advisory [2][3]. No workaround is documented; users should monitor the HAXcms repository for a patched version and apply it immediately upon release. The vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.