CVE-2025-69245 in Raytha
Summary
by MITRE • 03/16/2026
Raytha CMS is vulnerable to Reflected XSS via returnUrl parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victim’s browser.
This issue was fixed in 1.4.6.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/16/2026
Raytha CMS version 1.4.6 contains a reflected cross-site scripting vulnerability that specifically affects the login functionality through the returnUrl parameter. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, where the application fails to properly sanitize user input before incorporating it into dynamic web content. The flaw exists because the system does not adequately validate or escape the returnUrl parameter that is used to redirect users after successful authentication, allowing malicious input to be executed as script code within the victim's browser context.
The technical exploitation of this vulnerability requires an attacker to craft a malicious URL containing crafted JavaScript payload within the returnUrl parameter. When an authenticated user clicks such a link, the CMS processes the malicious input and reflects it back in the login page response without proper sanitization. This creates an environment where the victim's browser executes the injected script code, potentially leading to session hijacking, credential theft, or further malicious activities. The vulnerability is particularly dangerous because it leverages the legitimate login flow to deliver the malicious payload, making it more likely to succeed in social engineering attacks.
The operational impact of this reflected XSS vulnerability is significant for Raytha CMS users and administrators. An attacker could potentially steal session cookies, execute malicious commands in the victim's browser, or redirect users to phishing sites that mimic the legitimate CMS interface. This vulnerability undermines the security of the authentication system and could lead to unauthorized access to administrative functions. The attack vector is relatively simple to implement, requiring only the ability to send malicious links to targeted users, which makes it particularly concerning for organizations relying on the CMS for content management. The vulnerability affects all versions prior to 1.4.6, indicating that organizations running older versions are exposed to potential exploitation.
Organizations should immediately update to Raytha CMS version 1.4.6 or later to remediate this vulnerability. The fix implemented in this version likely includes proper input validation and output encoding for the returnUrl parameter, preventing malicious content from being executed. Additional mitigations include implementing content security policies to restrict script execution, monitoring for suspicious URL patterns in authentication logs, and educating users about the dangers of clicking untrusted links. From a defensive perspective, this vulnerability aligns with ATT&CK technique T1566.001 for credential access through phishing, and demonstrates the importance of input validation in web applications. Organizations should also consider implementing web application firewalls to detect and block malicious payloads targeting similar vulnerabilities in other CMS components.