Article

Security Advisory – Two-Factor and Privilege Issues

May 14, 2014 | Posted by Cody


Affected Versions

Versions 3.0.0 through 3.1.3 are affected.

Description

A user with a valid username and password may be able to properly validate two-factor authentication using TOTP by guessing the correct code. This issue is classified as a Low vulnerability. (CORE-1213)

An authenticated staff member may be able to affect settings in the system where they are otherwise prohibited via ACL restrictions, via carefully crafted HTTP POST requests under limited circumstances. This issue is classified as a Moderate vulnerability. (CORE-1163)

Resolution

If you are running 3.0.x or 3.1.0 through 3.1.3 upgrade to version 3.1.4 or version 3.2.0.

Related tasks:

  1. CORE-1163
  2. CORE-1213

Credits

CORE-1163 was discovered by the Blesta Development Team. CORE-1213 was discovered by Kyle at MemoryX2.

Tags: