Affected Versions

Versions 3.0.0 through 3.0.6 are affected.

Description

Some content may be rendered in the client and admin interfaces, as well as through the Support plugin without proper sanitization, possibly making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.7 corrects these vulnerabilities.

Resolution

Upgrade to version 3.0.7, or uninstall the affected plugins. Related tasks:

1. CORE-877
2. CORE-931
3. CORE-932

Credits

CORE-931 was discovered by Clifford Trigo (@mrtrizaeron) and Evan Ricafort (@robinhood0x00). CORE-877 and CORE-932 were discovered by the Blesta Development Team.