Blesta Security Advisory – Two-Factor and Privilege Issues

Blesta Security Advisory

Blesta is an automated billing and invoicing system used by many web hosting companies. Apart from WHMCS, Blesta is now being used for hosting automation.

WHMCS Complete Billing and Support

Blesta has released a security update to address two-factor and provolege issues.

Affected Versions

Versions 3.0.0 through 3.1.3 are affected.

Description

A user with a valid username and password may be able to properly validate two-factor authentication using TOTP by guessing the correct code. This issue is classified as a Low vulnerability. (CORE-1213)

An authenticated staff member may be able to affect settings in the system where they are otherwise prohibited via ACL restrictions, via carefully crafted HTTP POST requests under limited circumstances. This issue is classified as a Moderate vulnerability. (CORE-1163)
Resolution

If you are running 3.0.x or 3.1.0 through 3.1.3 upgrade to version 3.1.4 or version 3.2.0.

Posted in Security.