Full Report
CERT Polska has received a report about 11 vulnerabilities (CVE-2025-15540 and from CVE-2025-69236 to CVE-2025-69243 and from CVE-2025-69245 to CVE-2025-69246) found in Raytha software.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Raytha CMS
## CVE Details
This report covers 11 vulnerabilities identifies by CERT Polska:
- **CVE-2025-15540**: Code Injection (CWE-94) - **Critical/High**
- **CVE-2025-69236**: Stored XSS (CWE-79)
- **CVE-2025-69237**: Stored XSS (CWE-79)
- **CVE-2025-69238**: Cross-Site Request Forgery (CWE-352)
- **CVE-2025-69239**: Server-Side Request Forgery (CWE-918)
- **CVE-2025-69240**: Use of Less Trusted Source (CWE-348)
- **CVE-2025-69241**: Stored XSS (CWE-79)
- **CVE-2025-69242**: Reflected XSS (CWE-79)
- **CVE-2025-69243**: Observable Response Discrepancy (CWE-204)
- **CVE-2025-69245**: Reflected XSS (CWE-79)
- **CVE-2025-69246**: Lack of Brute Force Protection (CWE-307)
*Note: Specific CVSS scores were not provided in the source text, but CWE-94 and account takeover flaws typically rate High to Critical.*
## Affected Systems
- **Products**: Raytha CMS
- **Versions**:
- CVE-2025-69243: All versions before **1.5.0**.
- All other CVEs: All versions before **1.4.6**.
- **Configurations**: Default installations; profile editing and password reset functionalities are specific areas of concern.
## Vulnerability Description
The vulnerabilities range from administrative bypasses to client-side attacks:
- **Code Injection (CVE-2025-15540):** Improper control of code generation allowing arbitrary execution.
- **XSS (Stored/Reflected):** Multiple parameters (FirstName, LastName, backToListUrl, returnUrl) lack neutralization, allowing JavaScript execution in the context of a victim's session.
- **Account Takeover (CVE-2025-69240):** An attacker can spoof HTTP headers to redirect password reset links to an attacker-controlled domain, capturing reset tokens.
- **SSRF (CVE-2025-69239):** The application can be coerced into making requests to internal or external systems.
- **User Enumeration (CVE-2025-69243):** Password reset responses differ based on whether a username exists, facilitating brute-force targeting.
- **Lack of Throttling (CVE-2025-69246):** Missing lockout mechanisms allow automated credential stuffing.
## Exploitation
- **Status**: Reported via CVD (Coordinated Vulnerability Disclosure); no mention of active exploitation in the wild.
- **Complexity**: Low to Medium (many are standard web application flaws).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: High (Data theft via XSS, SSRF, and credential harvesting).
- **Integrity**: High (Unauthorized profile modification and account takeover).
- **Availability**: Medium (Potential impact from automated brute-force/injection).
## Remediation
### Patches
- **Upgrade to Raytha version 1.5.0** to resolve all listed vulnerabilities (including the user enumeration fix).
- If version 1.5.0 cannot be reached immediately, **version 1.4.6** resolves 10 of the 11 issues.
### Workarounds
- Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in `returnUrl` and `backToListUrl` parameters.
- Restrict egress traffic from the CMS server to prevent SSRF exploitation.
## Detection
- **Indicators of Compromise**: Monitor logs for unusual HTTP headers (Host/X-Forwarded-Host) during password reset requests. Look for `<script>` tags or unusual HTML in user profile fields.
- **Detection methods**: Audit login logs for high frequencies of failed attempts from single IP addresses (indicating brute-force attacks).
## References
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/posts/2026/03/vulnerabilities-in-raytha-software/
- **CVD Policy**: hxxps[://]cert[.]pl/en/cvd/
- **CVE Records**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2025-15540