4 matches found
CVE-2024-25859
Blesta (before v5.9.2) is affected by CVE-2024-25859 due to a path traversal in the /path/to/uploads/ directory. The vulnerability allows an attacker to takeover user accounts and execute arbitrary code. Affected versions are prior to 5.9.2. Mitigation: upgrade to Blesta 5.9.2 or later. As a temp...
CVE-2026-25614
Blesta 3.x–5.x prior to 5.13.3 is affected by an object injection vulnerability (CORE-5680). User input passed via invoices (POST) or item-ext-ref (GET) can reach unserialize() in Checkout2::validate()/Checkout2::success(), allowing arbitrary PHP objects to be injected. This enables potential rem...
CVE-2026-25616
Blesta CVE-2026-25616 affects Blesta versions 3.x through 5.x before 5.13.3 due to mishandling of input validation (CORE-5665). Multiple sources (Red Hat, CVE listing, PacketStorm) indicate impacts include input handling defects that enable cross-site scripting in certain endpoints, with the cano...
CVE-2026-25615
Blesta 3.x–5.x prior to 5.13.3 is affected by CVE-2026-25615 (CORE-5668), a PHP object-injection vulnerability. Public details describe vulnerability through admin interfaces (admin_clients.php and admin_company_groups.php) where unserialize() is applied to unsanitized input, enabling injection o...