CVE-2025-69240 (GCVE-0-2025-69240)
Vulnerability from cvelistv5
Published
2026-03-16 11:53
Modified
2026-03-16 13:49
Severity ?
7.5 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CWE
  • CWE-348 - Use of Less Trusted Source
Summary
Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account. This issue was fixed in version 1.4.6.
References
Impacted products
Vendor Product Version
Raytha Raytha Version: 0   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-69240",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T13:38:23.906395Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T13:49:56.666Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Raytha",
          "repo": "https://github.com/raythahq/raytha",
          "vendor": "Raytha",
          "versions": [
            {
              "lessThan": "1.4.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Basta"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u0026nbsp;can force the server to send an email with\u0026nbsp;password reset link pointing to the domain from spoofed header. When victim clicks the link,\u0026nbsp;browser sends request to the attacker\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u0026nbsp;over the victim\u0027s account.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.4.6.\u003cbr\u003e"
            }
          ],
          "value": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u00a0can force the server to send an email with\u00a0password reset link pointing to the domain from spoofed header. When victim clicks the link,\u00a0browser sends request to the attacker\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u00a0over the victim\u0027s account.\n\nThis issue was fixed in version 1.4.6."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-50",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-50 Password Recovery Exploitation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-348",
              "description": "CWE-348 Use of Less Trusted Source",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-16T11:53:41.514Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://raytha.com"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Header Poisoning in Raytha CMS",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2025-69240",
    "datePublished": "2026-03-16T11:53:41.514Z",
    "dateReserved": "2025-12-30T08:44:21.410Z",
    "dateUpdated": "2026-03-16T13:49:56.666Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-69240\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-16T13:38:23.906395Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-16T13:43:59.410Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Header Poisoning in Raytha CMS\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Daniel Basta\"}], \"impacts\": [{\"capecId\": \"CAPEC-50\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-50 Password Recovery Exploitation\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/raythahq/raytha\", \"vendor\": \"Raytha\", \"product\": \"Raytha\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.4.6\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://cert.pl/en/posts/2026/03/CVE-2025-69236\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://raytha.com\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\\u00a0can force the server to send an email with\\u00a0password reset link pointing to the domain from spoofed header. When victim clicks the link,\\u00a0browser sends request to the attacker\\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\\u00a0over the victim\u0027s account.\\n\\nThis issue was fixed in version 1.4.6.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim\u0027s email address)\u0026nbsp;can force the server to send an email with\u0026nbsp;password reset link pointing to the domain from spoofed header. When victim clicks the link,\u0026nbsp;browser sends request to the attacker\\u2019s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim\u0027s password and take\u0026nbsp;over the victim\u0027s account.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 1.4.6.\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-348\", \"description\": \"CWE-348 Use of Less Trusted Source\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2026-03-16T11:53:41.514Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-69240\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-16T13:49:56.666Z\", \"dateReserved\": \"2025-12-30T08:44:21.410Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2026-03-16T11:53:41.514Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.