Security Advisory - Cross-site scripting vulnerabilities
Affected Versions
Versions 3.0.0 through 3.0.6 are affected.
Description
Some content may be rendered in the client and admin interfaces, as well as through the Support plugin without proper sanitization, possibly making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.7 corrects these vulnerabilities.
Resolution
Upgrade to version 3.0.7, or uninstall the affected plugins. Related tasks:
- CORE-877
- CORE-931
- CORE-932
Credits
CORE-931 was discovered by Clifford Trigo (@mrtrizaeron) and Evan Ricafort (@robinhood0x00). CORE-877 and CORE-932 were discovered by the Blesta Development Team.
Related Tags:
Security Advisory - Plugin vulnerabilities
Affected Versions
Versions 3.0.0 through 3.0.4 are affected.
Description
Some content may be rendered in both the System Overview and Feed Reader plugins without proper sanitization, making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.5 corrects these vulnerabilities. Uninstalling the affected plugins will also mitigate any potential attacks.
Resolution
Upgrade to version 3.0.5, or uninstall the affected plugins. Related tasks:
- CORE-829
- CORE-830
Credits
These issues were discovered by the Blesta Development Team.
Related Tags:
Security Advisory – Cross-site scripting vulnerabilities
Affected Versions
Versions 3.0.0 through 3.0.3 are affected.
Description
Some messages may be rendered without proper sanitization, making the system vulnerable to cross-site scripting (XSS) attacks through carefully crafted URLs. Two distinct message types are vulnerable to such an attack. Disabling PHP error reporting mitigates one of these vectors. Both issues are fully resolved in patch release 3.0.4.
Resolution
Upgrade to version 3.0.4. Related tasks:
- CORE-796
- CORE-797
Credits
Thanks to Vlad C. of NetSec Interactive Solutions for reporting these issues.