Logo
 Get Started

Security Advisory

June 9, 2025
Paul

A security issue affecting Blesta versions 4.0.0 through 5.11.3 has been identified.

A path traversal vulnerability has been discovered, though the vulnerability does not allow the disclosure of Blesta configuration files. We recommend applying the appropriate patch for your release, or upgrading to version 5.11.4 as soon as possible. We give this an impact rating of High.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always back up your files and database prior to upgrading and be sure to run /admin/upgrade in your browser after uploading either a patch or full release. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 4.0 and 5.11, upgrade to 5.11.4.

Downloads

Download 5.11.4 Patch Download 5.11.4 Full 

% blesta-5.11.4.zip
6003fcf0caadc255b7b43e0a504b130e0a0f8751e22d270e9fd126299e018548

% blesta-5.11.0-5.11.4.zip
353996300dd83ceb91b887691aa1956b2be97dd5c481cd5acf290db51d5078f2

Download 5.10.4 Patch 

% blesta-5.10.0-5.10.4.zip
37c102ac7f539a039d2b39354f60c5e504c617e32037a228a15b84009a097018

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Resolution

  • If you are running version 5.11.x, apply the 5.11.4 patch above.
  • If you are running version 5.10.x, apply the 5.10.4 patch above.
  • If you are running version 4.0.x through 5.11.x, upgrade to 5.11.4 Full.

Mitigation

It is best to upgrade to 5.11.4 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 4.0 through 5.9), and you need more time to upgrade, it is possible to mitigate. We are not publishing mitigation steps now due to nature of the vulnerability. For mitigation steps, open a ticket from within your account and provide your license key as well as the version of Blesta you are running along with the reason you are not able to upgrade.

Credits

This issue was reported by a customer in accordance with our Responsible Disclosure Policy.

Related Tags:

Security Advisory

February 8, 2024
Paul

Several security issues affecting Blesta versions 5.0.0 through 5.9.1 have been identified. There is no evidence to suggest that these vulnerabilities are publicly known or being exploited, but you should take action now.

A path traversal vulnerability may lead to account compromise and RCE (Remote Code Execution) through vulnerability chaining. We recommend applying the appropriate patch for your release as soon as possible, or by upgrading to version 5.9.2. Given the compounding nature of these vulnerabilies, we give this an impact rating of Critical.

More information about how we rate vulnerabilities can be found on our Security Advisories page.

Always run /admin/upgrade in your browser after patching or upgrading your installation. Patch releases may only be applied to the minor release to which it belongs, so download the appropriate patch for your minor version. If you are running a version of Blesta between 5.0 and 5.6, upgrade to 5.9.2.

Downloads

Download 5.9.2 Patch Download 5.9.2 Full 

% blesta-5.9.2.zip
27f59fd3bc7a30dd6dc40ae619447fc5be049f2f3cd811ac5a6fc59b6d643b02

% blesta-5.9.0-5.9.2.zip
a4626ab2a8fe3f28010c368cc54b704cade6ac2fc299b7d48a3daec3ef9837e3

Download 5.8.3 Patch 

% blesta-5.8.0-5.8.3.zip
5f5463e8590b837c76b1aa1c3f89b07e50efce477606b8f6b7f49543b2e9e828

Download 5.7.2 Patch 

% blesta-5.7.0-5.7.2.zip
3f06d2a2a08f196725389e69db0cc3dc1ac05ba48f3a473b01ecc3d2caa3fa8f

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

Resolution

  • If you are running version 5.7.x, apply the 5.7.2 patch above.
  • If you are running version 5.8.x, apply the 5.8.3 patch above.
  • If you are running version 5.9.x, apply the 5.9.2 patch above.
  • If you are running version 5.0.x through 5.6.x, upgrade to 5.9.2 Full.

Mitigation

It is best to upgrade to 5.9.2 or apply the appropriate patch. However, if you are running an affected unsupported version of Blesta (version 5.0 through 5.6), or you need more time to upgrade, you may take the following immediate steps to mitigate.

  • Visit Settings > System > General and note the location of your “Uploads Directory”.
  • Assuming your uploads directory is “/path/to/uploads/” check the directory for your company ID (typically “1”) and see if you have a “themes” directory. If the directory exists, delete the directory. Example locations for this directory are: “/path/to/uploads/1/themes”, “/path/to/uploads/2/themes”, etc. Only users with addon-companies will have any directories other than “1” within the uploads directory. Ensure “themes” is deleted from each.

If your logo dissappears, you may need to visit Settings > Company > Look and Feel > Customize and set your logo using “Set Logo URL”, not “Upload Logo”. NOTE that this may result in the “themes” directory being re-created. If you perform this step, check for and delete the “themes” directory again.

We would also highly recommend ensuring that Two-Factor Authentication is enabled for all Staff accounts. Staff can set up Two-Factor Authentication under “My Info” using a token like Google Authenticator (for iOS/Android).

Credits

These issues were reported to us by Emre Hampolat in accordance with our Responsible Disclosure Policy.

Related Tags:
Top