
Cloud Vulnerability DB
A community-led vulnerabilities database
An unauthenticated information disclosure vulnerability (CVE-2025-48996) was discovered in the Penn State University deployment of the HAX content management system. The vulnerability exists in the haxPsuUsage API endpoint within the open-apis component, affecting versions up to and including 10.0.2. The issue was disclosed on June 2, 2025, and has been assigned a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory).
The vulnerability exists in the haxPsuUsage.js file where the API endpoint https://open-apis.hax.cloud/api/services/stats/haxPsuUsage returns a list of websites without implementing any authentication or authorization checks. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (GitHub Advisory).
The vulnerability allows any remote unauthenticated user to retrieve a complete list of PSU websites hosted on the HAX CMS. When combined with other authorization issues (such as HAX-3), this information disclosure could facilitate targeted attacks, potentially leading to unauthorized content modification or deletion of academic, instructional, and departmental sites (GitHub Advisory).
The vulnerability has been patched in commit 06c2e1fbb7131a8fe66aa0600f38dcacae6b7ac7, which modifies the API response to only return overall data instead of detailed site listings. Organizations should upgrade to versions after June 2, 2025, to receive the security fix (GitHub Commit).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."