Dear Blesta.Store Clients!
The Blesta Development Team has published a SECURITY ADVISORY!
...ADVISORY:
Several security issues affecting Blesta versions 5.0.0 through 5.9.1 have been identified.
There is no evidence to suggest that these vulnerabilities are publicly known or being exploited, but you should take action now.A path traversal vulnerability may lead to account compromise and RCE (Remote Code Execution) through vulnerability chaining.
We recommend applying the appropriate patch for your release as soon as possible, or by upgrading to version 5.9.2.
Given the compounding nature of these vulnerabilies, we give this an impact rating of Critical.Resolution
* If you are running version 5.7.x, apply the 5.7.2 patch.
* If you are running version 5.8.x, apply the 5.8.3 patch.
* If you are running version 5.9.x, apply the 5.9.2 patch.
* If you are running version 5.0.x through 5.6.x, upgrade to 5.9.2
Full.
Mitigation
It is best to upgrade to 5.9.2 or apply the appropriate patch.
However, if you are running an affected unsupported version of Blesta
(version 5.0 through 5.6), or you need more time to upgrade, you may
take the following immediate steps to mitigate.Visit Settings > System > General and note the location of your
“Uploads Directory”.
Assuming your uploads directory is “/path/to/uploads/” check the
directory for your company ID (typically “1”) and see if you have
a “themes” directory. If the directory exists, delete the
directory. Example locations for this directory are:
“/path/to/uploads/1/themes”, “/path/to/uploads/2/themes”, etc.
Only users with addon-companies will have any directories other than
“1” within the uploads directory. Ensure “themes” is deleted
from each.If your logo dissappears, you may need to visit Settings > Company >
Look and Feel > Customize and set your logo using “Set Logo URL”,
not “Upload Logo”. NOTE that this may result in the “themes”
directory being re-created. If you perform this step, check for and
delete the “themes” directory again.We would also highly recommend ensuring that Two-Factor Authentication
is enabled for all Staff accounts. Staff can set up Two-Factor
Authentication under “My Info” using a token like Google
Authenticator (for iOS/Android).
...END OF ADVISORY!
Please note that the mentioned "RCE" is only possible via
vulnerability chaining and does not appear to be exploitable in a
"stand alone" kind of way (according to the blesta team).
Kind Regards
The Blesta.Store Team