Blesta Security Advisory
Blesta is an automated billing and invoicing system used by many web hosting companies. Apart from WHMCS, Blesta is now being used for hosting automation.
Blesta has released a security update to address two-factor and provolege issues.
Affected Versions
Versions 3.0.0 through 3.1.3 are affected.
Description
A user with a valid username and password may be able to properly validate two-factor authentication using TOTP by guessing the correct code. This issue is classified as a Low vulnerability. (CORE-1213)
An authenticated staff member may be able to affect settings in the system where they are otherwise prohibited via ACL restrictions, via carefully crafted HTTP POST requests under limited circumstances. This issue is classified as a Moderate vulnerability. (CORE-1163)
Resolution
If you are running 3.0.x or 3.1.0 through 3.1.3 upgrade to version 3.1.4 or version 3.2.0.