Security Advisory

Several security issues affecting Blesta versions 3.0.0 through 5.13.7 have been identified. Patches are being released for the 5.12 and 5.13 branches.

These include an authorization issue, a low-severity enumeration issue on a public endpoint (no customer or account data is exposed), an inbound email header parsing issue in the Support Manager, two issues that could allow code execution by a caller already holding valid API credentials, a password-reset flow issue that could weaken account protections under specific conditions, and additional hardening to CSRF token verification and the Uploads component. Individual issues range in severity, but we give this an overall impact rating of High based on the most severe issue. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.8 as soon as possible.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.8.

Downloads

Download 5.13.8 Patch Download 5.13.8 Full

% blesta-5.13.8.zip
b88fc1dc765f335ffb79155b0b8d606fad79924e7842fd94bc827ea4a0e12d15

% blesta-5.13.0-5.13.8.zip
9f3b93080020359a3818ca7ac64ab8cfb084d7c60571bdb58258d742be989d62

Download 5.12.5 Patch

% blesta-5.12.0-5.12.5.zip
553fcd4e54526f8798bb04b6ba87861509d6690c1f8f95329f8ba7d1707e05d6

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Full Release Notes for 5.13.8

• [CORE-5912] - Cancel options not available if there are any open invoices
• [CORE-5927] - Security fix
• [CORE-5928] - Security fix
• [CORE-5929] - Security fix
• [CORE-5935] - Security fix
• [CORE-5936] - Fix an issue with expired coupons
• [CORE-5944] - Security fix
• [CORE-5945] - Security fix
• [CORE-5947] - Security fix
• [CORE-5953] - Security fix
• [CORE-5956] - Quotations::getAll() does not support a status of ‘all’

Resolution

• If you are running version 5.13.x, apply the 5.13.8 patch above.
• If you are running version 5.12.x, apply the 5.12.5 patch above.
• If you are running version 3.0.x through 5.11.x, upgrade to 5.13.8 Full.

Mitigation

It is best to apply the appropriate patch or upgrade to 5.13.8 as soon as possible. If you need more time before patching, the following interim measures reduce exposure for two of the issues:

• Audit your API keys. Go to Settings → Company → API Access and disable or remove any keys belonging to retired integrations, test accounts, or applications you do not fully trust. Rotate any keys that may have been exposed in deploy scripts, source repositories, or .env files. The two API-reachable code execution issues in this release require a valid API key, so reducing the number of active keys reduces the attack surface.
• If you do not use the Support Manager’s inbound email-to-ticket feature, disable it. Go to Support → Departments → Edit and update “Email Handling” to None. One issue in this release affects how inbound email headers are parsed; if you are not pulling mail into Blesta, this code path is not reached.

Note on API-reachable issues

Two of the issues addressed in this release are reachable only by a caller that already holds valid Blesta API credentials. As documented, the Blesta API grants full administrative access to the installation — any valid API credentials can call every public model method in Blesta core and in installed extensions. API credentials should be treated accordingly and only used from fully trusted, first-party applications. If you need a narrower or purpose-built interface for an untrusted client or third-party integration, build it as a plugin that exposes its own endpoint rather than calling the core API directly. These issues are still being patched because the gap between “holds an API key” and “executes code on the host” should not exist, but they are not reachable by an unauthenticated attacker.

Credits

Five of these issues were reported by Curtis at Terabit in accordance with our Responsible Disclosure Policy. The remaining issues were discovered internally.