EUVD-2025-208705
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L
Lifecycle Timeline
3Description
Raytha CMS is vulnerable to Server-Side Request Forgery in the “Themes - Import from URL” feature. It allows an attacker with high privileges to provide the URL for redirecting server-side HTTP request. This issue was fixed in version 1.4.6.
Analysis
Raytha CMS contains a Server-Side Request Forgery (SSRF) vulnerability in its Theme Import from URL feature that allows authenticated high-privilege users to manipulate server-side HTTP requests to arbitrary destinations. An attacker with administrative or similar elevated privileges can leverage this to redirect the CMS server's outbound requests to internal systems, external resources, or arbitrary URLs, potentially leading to information disclosure or lateral movement attacks. The vulnerability affects versions prior to 1.4.6 and is fixed in version 1.4.6 and later.
Technical Context
This vulnerability is rooted in CWE-918 (Server-Side Request Forgery), a class of attacks where an application makes HTTP requests to attacker-specified URLs without proper validation or restriction. In Raytha CMS (a content management system), the Theme Import from URL feature accepts user-supplied URLs and fetches remote theme files server-side. The application fails to implement adequate safeguards such as URL allowlisting, hostname validation, DNS rebinding protections, or blocking access to private IP address ranges (RFC 1918, link-local, loopback). When processing theme imports, the server does not restrict the destination of the HTTP request, allowing an attacker to craft requests to internal services (e.g., localhost:8080, 192.168.x.x), cloud metadata endpoints (169.254.169.254), or external malicious servers. The vulnerability requires high privileges (PR:H in CVSS v4.0), indicating the attacker must already possess administrative credentials or equivalent access to the CMS.
Affected Products
Raytha CMS versions prior to 1.4.6 are affected by this vulnerability. The vendor released version 1.4.6 as the fixed version containing patches to validate and restrict URLs in the Theme Import from URL feature. Organizations running Raytha CMS should verify their installed version and upgrade to 1.4.6 or any subsequent release.
Remediation
Immediately upgrade Raytha CMS to version 1.4.6 or later, which includes patches to validate theme import URLs and prevent SSRF attacks. For organizations unable to patch immediately, implement network-level controls by restricting outbound connections from the CMS server to only approved external repositories and blocking access to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, and 169.254.0.0/16). Additionally, audit and minimize the number of users with administrative privileges, enforce strong authentication (multi-factor authentication), and monitor outbound HTTP requests from the CMS application for suspicious destinations. If theme imports are not essential, disable the Theme Import from URL feature entirely and switch to manual or pre-validated theme uploads.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today