2026-03-16 11:53:41
CERT-PL
PUBLISHED
Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victims email address) can force the server to send an email with password reset link pointing to the domain from spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victims password and take over the victims account. This issue was fixed in version 1.4.6.