Security Advisory
A security issue affecting Blesta versions 4.0.0 through 5.11.3 has been identified.
A path traversal vulnerability has been discovered, though the vulnerability does not allow the disclosure of Blesta configuration files. We recommend applying the appropriate patch for your release, or upgrading to version 5.11.4 as soon as possible. We give this an impact rating of High.
More information about how we rate vulnerabilities can be found on our Security Advisories page.
Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 4.0 and 5.11, upgrade to 5.11.4.
Downloads
Download 5.11.4 Patch Download 5.11.4 Full
% blesta-5.11.4.zip
6003fcf0caadc255b7b43e0a504b130e0a0f8751e22d270e9fd126299e018548
% blesta-5.11.0-5.11.4.zip
353996300dd83ceb91b887691aa1956b2be97dd5c481cd5acf290db51d5078f2
% blesta-5.10.0-5.10.4.zip
37c102ac7f539a039d2b39354f60c5e504c617e32037a228a15b84009a097018
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Resolution
- If you are running version 5.11.x, apply the 5.11.4 patch above.
- If you are running version 5.10.x, apply the 5.10.4 patch above.
- If you are running version 4.0.x through 5.11.x, upgrade to 5.11.4 Full.
Mitigation
It is best to upgrade to 5.11.4 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 4.0 through 5.9), and you need more time to upgrade, it is possible to mitigate. We are not publishing mitigation steps now due to nature of the vulnerability. For mitigation steps, open a ticket from within your account and provide your license key as well as the version of Blesta you are running along with the reason you are not able to upgrade.
Credits
This issue was reported by a customer in accordance with our Responsible Disclosure Policy.
Blesta 5.11.3 Patch Released
We are pleased to announce the released of Blesta 5.11.3, which addresses bugs discovered in the 5.11 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/display/support/5.11.3.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.11.0, 5.11.1, or 5.11.2. If you are running an earlier version, you must download the full release.
Download 5.11.3 Patch Download 5.11.3 Full
SHA256 Sum
% blesta-5.11.3.zip
3dcd9e67e43ff9df563dc5a099f8436d5b03aa4d60bff1a3975c030f0bb8b498
% blesta-5.11.0-5.11.3.zip
4a275432739d9b92e1f1c066d089518e69f9a3cf212d4ac2c6d2f7944f708811
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Blesta 5.11.2 Patch Released
We are pleased to announce the released of Blesta 5.11.2, which addresses bugs discovered in the 5.11 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/display/support/5.11.2.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.11.0, or 5.11.1. If you are running an earlier version, you must download the full release.
Download 5.11.2 Patch Download 5.11.2 Full
SHA256 Sum
% blesta-5.11.2.zip
968a4720f07c73e4d38ff5fd28afb9e493ec23161f85a06f013d0d4c6b40d647
% blesta-5.11.0-5.11.2.zip
1f2457a8d73c631ff1599d01154b65a82ca3244f360216c2de91cdbad8520fc1
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Blesta 5.11.1 Patch Released
We are pleased to announce the released of Blesta 5.11.1, which addresses bugs discovered in the 5.11 branch. A big thanks to everyone who participated in helping to make Blesta better by reporting and confirming bugs on our forums and discord chat, we appreciate your help!
The release notes are available at https://docs.blesta.com/display/support/5.11.1.
Always run /admin/upgrade in your browser or via CLI after updating the files for your installation. Patch releases may only be applied to the minor release to which it belongs. Only apply this patch if you are running 5.11.0. If you are running an earlier version, you must download the full release.
Download 5.11.1 Patch Download 5.11.1 Full
SHA256 Sum
% blesta-5.11.1.zip
1939d748f852c47e30116784f19df29aa153b4946932a242d38e848fabcc8370
% blesta-5.11.0-5.11.1.zip
94a9b8212c7ae56028053133c61e4e8da1d8fca1fab172bade06601ae5ded363
To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.
Related Tags:
Blesta 5.11 Released
Blesta 5.11 is now available!
Blesta now ships with 20 fully translated languages. Nice looking HTML templates for emails, an HTML invoice view option for clients, and CSS overrides on themes make Blesta even more customizable. New bulk actions for domains, bulk unsuspend services, invoice merging, and the ability to set a price override while adding a service as an admin. Gateway restrictions, Cloudflare Turnstile, and more!
Download 5.11SHA256 Sum
f2d84ab5189e0d7a00983bf73866fd8272169594a35e0e1ff754617585131d92
ALWAYS BACKUP YOUR FILES + DATABASE PRIOR TO UPGRADING. Don’t forget to run /admin/upgrade in your browser or via CLI. If you need assistance upgrading, we can perform the upgrade for $35 just open a ticket from your account.
See the documentation for details on how to install or upgrade.
What’s new in 5.11?
- Added two new language translations (Via DeepL), Arabic and Korean.
- Added custom HTML Templates, with one included by default. (See docs)
- Added a CSS override option on themes for persistent custom CSS.
- Added a unique context sensitive class to the
<body>tag for fine control with custom CSS. - Added an HTML invoice “View” option in the client area.
- Added an option to restrict Payment Gateways by client and client group.
- Added the ability to set a price override while adding a service as an admin.
- Added an “Advanced Edit” feature to services for internal modifications.
- Added an option to bulk delete unused TLDs in the Domain Manager.
- Added an option to enable or disable management features in the Domain Manager.
- Added the ability for Staff to add additional recipients to tickets.
- Added the option to merge multiple invoices into a single invoice.
- Added the payment gateways Blockonomics and Paysera.
- Added Cloudflare Turnstile captcha option for human verification.
- Added an option to persistently override existing language via _override.php (See docs)
- Updated the Renewal Queue, renaming it Service Queue for all pending service actions.
- Updated the WHMCS importer to import domains directly into the Domain Manager.
- Updated Stripe Payments to add fine control over when to request 3DS.
- Updated PayPal Payments Standard to allow mapping of subscriptions created outside Blesta.
- Updated Data Feeds to add 2 new endpoints for Package quantity and client limit.
- Updated config options to give staff more control.
- Updated services widget to add a bulk unsuspend option.
- Updated the Support Manager to insert pre-defined replies above the signature.
- Updated Virtualmin to allow selling of sub-domains at predefined domains.
- Updated Namesilo to improve contact handling.
- Updated the System Overview widget to include more options for the graph date range.
See our beta announcement for more and the release notes for everything.
Developers
- Added get events for models.
- Reminder: If you are a developer, we recommend updating your extensions to support PHP 8, including PHP 8.2 if they don’t already.
Sponsored Development
A big shout out to the following companies for sponsoring development for one or more items in this release. Show them some love.
Sponsored development is a good way to support Blesta and get a shout out for your company! Interested? Reach out and say hello.
Stay Connected!
Like our Facebook page, join our Facebook group and Subreddit, follow us on Twitter, and join us in Discord.