Security Advisory - Blesta 4.10.1 Patch Released

June 10, 2020 | Posted by Paul

Blesta 4.10.1 has been released, which addresses two bugs discovered in the 4.10.0 branch, including one security issue affecting the Order Manager with an impact rating of Moderate. More information about how we rate vulnerabilities can be found on our Security Advisories page. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!

The release notes are available at

Always run /admin/upgrade in your browser after patching or upgrading your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply the patch if you are running 4.10.0. If you are running an earlier version, you must download the full release.

Download 4.10.1 Patch Download 4.10.1 Full

SHA256 Sum



To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Affected Versions

All versions of the Order Manager plugin are affected.


This update addresses one security concern:

  1. An XSS flaw that affects the order system under certain circumstances.


If running 4.10.0, apply the patch for 4.10.1. If running a version earlier than 4.10.0, upgrade to the full 4.10.1 release. See below for mitigation for older supported releases.


It is best to upgrade to 4.10.1, however, if you are running a supported version of Blesta (version 4.6, 4.7, 4.8, or 4.9) you may overwrite the following files from the 4.10.1 patch:

  • /blesta/plugins/order/views/templates/ajax/config.pdt
  • /blesta/plugins/order/views/templates/standard/config.pdt
  • /blesta/plugins/order/views/templates/wizard/config.pdt


This item was reported by Abdellah nadi in accordance with our Responsible Disclosure Policy.