Logo
 Get Started

Security Advisory - Cross-site scripting vulnerabilities

December 20, 2013
Cody

Affected Versions

Versions 3.0.0 through 3.0.6 are affected.

Description

Some content may be rendered in the client and admin interfaces, as well as through the Support plugin without proper sanitization, possibly making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.7 corrects these vulnerabilities.

Resolution

Upgrade to version 3.0.7, or uninstall the affected plugins. Related tasks:

  1. CORE-877
  2. CORE-931
  3. CORE-932

Credits

CORE-931 was discovered by Clifford Trigo (@mrtrizaeron) and Evan Ricafort (@robinhood0x00). CORE-877 and CORE-932 were discovered by the Blesta Development Team.

Related Tags:

Blesta 3.0.6 Patch Released

November 13, 2013
Paul

A patch has been released for Blesta that addresses bugs discovered since 3.0.5 was released. As usual, a big thanks to everyone who reported and confirmed these bugs on our forums, we appreciate your help.

You can read more information about this patch, including the release notes, on our forums at http://www.blesta.com/forums/index.php?/topic/1467-release-306/

Download Link

blesta-3.0.0-3.0.6.zip

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Related Tags:

Blesta 3.0.5 Patch Released

October 24, 2013
Paul

A patch has been released for Blesta that addresses bugs discovered since 3.0.4 was released. It also contains two security fixes discovered in house as part of our review process. For more information about these fixes, please see the advisory. We strongly recommend upgrading to 3.0.5.

You can read more information about this patch, including the release notes, on our forums at http://www.blesta.com/forums/index.php?/topic/1285-release-305/

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Related Tags:

Security Advisory - Plugin vulnerabilities

October 24, 2013
Cody
Affected Versions

Versions 3.0.0 through 3.0.4 are affected.

Description

Some content may be rendered in both the System Overview and Feed Reader plugins without proper sanitization, making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.5 corrects these vulnerabilities. Uninstalling the affected plugins will also mitigate any potential attacks.

Resolution

Upgrade to version 3.0.5, or uninstall the affected plugins. Related tasks:

  1. CORE-829
  2. CORE-830
Credits

These issues were discovered by the Blesta Development Team.

Related Tags:

Blesta 3.0.4 Patch Released

October 7, 2013
Paul

A patch has been released for Blesta that addresses bugs discovered since 3.0.3 was released and fixes two security related issues. We strongly recommend upgrading to 3.0.4.

You can read more information about this patch, including the release notes, on our forums at http://www.blesta.com/forums/index.php?/topic/1192-release-304/.

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual. Don’t forget to run /admin/upgrade after you patch your files, there are some database changes that need to be executed.

Related Tags:
Top