Security Advisory - Plugin vulnerabilities
Affected Versions
Versions 3.0.0 through 3.0.4 are affected.
Description
Some content may be rendered in both the System Overview and Feed Reader plugins without proper sanitization, making them vulnerable to cross-site scripting (XSS) attacks. Patch release 3.0.5 corrects these vulnerabilities. Uninstalling the affected plugins will also mitigate any potential attacks.
Resolution
Upgrade to version 3.0.5, or uninstall the affected plugins. Related tasks:
- CORE-829
- CORE-830
Credits
These issues were discovered by the Blesta Development Team.
Related Tags:
Security Advisory – Cross-site scripting vulnerabilities
Affected Versions
Versions 3.0.0 through 3.0.3 are affected.
Description
Some messages may be rendered without proper sanitization, making the system vulnerable to cross-site scripting (XSS) attacks through carefully crafted URLs. Two distinct message types are vulnerable to such an attack. Disabling PHP error reporting mitigates one of these vectors. Both issues are fully resolved in patch release 3.0.4.
Resolution
Upgrade to version 3.0.4. Related tasks:
- CORE-796
- CORE-797
Credits
Thanks to Vlad C. of NetSec Interactive Solutions for reporting these issues.