CVE-2025-54129
MEDIUMHAXiam < 11.0.5 - Authenticated User Enumeration via Response Discrepancy
Title source: llmDescription
HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management platform. In versions 11.0.4 and below, the application returns a 200 response when requesting the data of a valid user and a 404 response when requesting the data of an invalid user. This can be used to infer the existence of valid user accounts. An authenticated attacker can use automated tooling to brute force potential usernames and use the application's response to identify valid accounts. This can be used in conjunction with other vulnerabilities, such as the lack of authorization checks, to enumerate and deface another user's sites. This is fixed in version 11.0.5.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-wh3h-vfcv-m5g5
Scores
CVSS v3
4.3
EPSS
0.0025
EPSS Percentile
16.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-204
Status
published
Products (1)
psu/haxiam
< 11.0.5
Published
Jul 21, 2025
Tracked Since
Feb 18, 2026