Security Advisory
Several security issues affecting Blesta versions 3.0.0 through 5.13.7 have been identified. Patches are being released for the 5.12 and 5.13 branches.
These include an authorization issue, a low-severity enumeration issue on a public endpoint (no customer or account data is exposed), an inbound email header parsing issue in the Support Manager, two issues that could allow code execution by a caller already holding valid API credentials, a password-reset flow issue that could weaken account protections under specific conditions, and additional hardening to CSRF token verification and the Uploads component. Individual issues range in severity, but we give this an overall impact rating of High based on the most severe issue. We recommend applying the appropriate patch for your release, or upgrading to version 5.13.8 as soon as possible.
More information about how we rate vulnerabilities can be found on our Security Advisories page.
Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 3.0 and 5.10, upgrade to 5.13.8.
Downloads
Download 5.13.8 Patch Download 5.13.8 Full
% blesta-5.13.8.zip
b88fc1dc765f335ffb79155b0b8d606fad79924e7842fd94bc827ea4a0e12d15
% blesta-5.13.0-5.13.8.zip
9f3b93080020359a3818ca7ac64ab8cfb084d7c60571bdb58258d742be989d62
% blesta-5.12.0-5.12.5.zip
553fcd4e54526f8798bb04b6ba87861509d6690c1f8f95329f8ba7d1707e05d6
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Full Release Notes for 5.13.8
- [CORE-5912] - Cancel options not available if there are any open invoices
- [CORE-5927] - Security fix
- [CORE-5928] - Security fix
- [CORE-5929] - Security fix
- [CORE-5935] - Security fix
- [CORE-5936] - Fix an issue with expired coupons
- [CORE-5944] - Security fix
- [CORE-5945] - Security fix
- [CORE-5947] - Security fix
- [CORE-5953] - Security fix
- [CORE-5956] - Quotations::getAll() does not support a status of ‘all’
Resolution
- If you are running version 5.13.x, apply the 5.13.8 patch above.
- If you are running version 5.12.x, apply the 5.12.5 patch above.
- If you are running version 3.0.x through 5.11.x, upgrade to 5.13.8 Full.
Mitigation
It is best to apply the appropriate patch or upgrade to 5.13.8 as soon as possible. If you need more time before patching, the following interim measures reduce exposure for two of the issues:
- Audit your API keys. Go to Settings → Company → API Access and disable or remove any keys belonging to retired integrations, test accounts, or applications you do not fully trust. Rotate any keys that may have been exposed in deploy scripts, source repositories, or
.envfiles. The two API-reachable code execution issues in this release require a valid API key, so reducing the number of active keys reduces the attack surface. - If you do not use the Support Manager’s inbound email-to-ticket feature, disable it. Go to Support → Departments → Edit and update “Email Handling” to None. One issue in this release affects how inbound email headers are parsed; if you are not pulling mail into Blesta, this code path is not reached.
Note on API-reachable issues
Two of the issues addressed in this release are reachable only by a caller that already holds valid Blesta API credentials. As documented, the Blesta API grants full administrative access to the installation — any valid API credentials can call every public model method in Blesta core and in installed extensions. API credentials should be treated accordingly and only used from fully trusted, first-party applications. If you need a narrower or purpose-built interface for an untrusted client or third-party integration, build it as a plugin that exposes its own endpoint rather than calling the core API directly. These issues are still being patched because the gap between “holds an API key” and “executes code on the host” should not exist, but they are not reachable by an unauthenticated attacker.
Credits
Five of these issues were reported by Curtis at Terabit in accordance with our Responsible Disclosure Policy. The remaining issues were discovered internally.
Blesta 5.13.7 Patch Released
We are pleased to announce the release of Blesta 5.13.7, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/support/releases/5/5137/.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, 5.13.5, or 5.13.6. If you are running an earlier version, you must download the full release.
Download 5.13.7 Patch Download 5.13.7 Full
SHA256 Sum
% blesta-5.13.7.zip
675b04404e61eae3dbf4725d854cf619f07502f65634ede33fb9b48c58ba299b
% blesta-5.13.0-5.13.7.zip
2544cc3edc2b399680534603417d3c441041cc559b332369f46b1a3fc33f0816
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Blesta 5.13.6 Patch Released
We are pleased to announce the release of Blesta 5.13.6, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/support/releases/5/5136/.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, 5.13.3, 5.13.4, or 5.13.5. If you are running an earlier version, you must download the full release.
Download 5.13.6 Patch Download 5.13.6 Full
SHA256 Sum
% blesta-5.13.6.zip
36d30707d3af3bbce969bd60358796425a085c40ac466cab8bbf8c7e2b7a40c5
% blesta-5.13.0-5.13.6.zip
c0d2919403d63bcb0cca98ad43cc5c56b2c82d2c130082a6a86d6ab1fca204ff
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Blesta 5.13.5 Patch Released
We are pleased to announce the release of Blesta 5.13.5, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/support/releases/5/5135/.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, 5.13.3, or 5.13.4. If you are running an earlier version, you must download the full release.
Download 5.13.5 Patch Download 5.13.5 Full
SHA256 Sum
% blesta-5.13.5.zip
ee616e7eef47b19ecdba67feecdb6b7cdd8bc343855981c76661c8fe95ed63d8
% blesta-5.13.0-5.13.5.zip
0a03c8afebf402f86d070467ef6e9edb90331a8fd6c571a1c1022dd7590a4c66
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Blesta 5.13.4 Patch Released
We are pleased to announce the release of Blesta 5.13.4, which addresses bugs discovered in the 5.13 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/support/releases/5/5134/.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.13.0, 5.13.1, 5.13.2, or 5.13.3. If you are running an earlier version, you must download the full release.
Download 5.13.4 Patch Download 5.13.4 Full
SHA256 Sum
% blesta-5.13.4.zip
2146cac0eec29421dd6e976d889a85ea5864dc43e5f4b9a27ab1812d12f99f78
% blesta-5.13.0-5.13.4.zip
66e87ba717981c3f20404871487b821f88074bd0d12f2350f50949358096e001
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.