[KIS-2026-01] Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability
嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。直接写描述就行。好的,首先我得仔细阅读这篇文章,了解它的主要内容。 文章看起来是一个安全漏洞的公告。标题是“Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability”,所以主要讲的是Blesta软件中的一个反射型跨站脚本漏洞。漏洞出现在confirm_url参数中,影响版本从3.2.0到5.13.1。 接下来,漏洞描述部分提到用户输入通过GET参数传递到特定的端点,没有被正确过滤,导致生成包含恶意脚本的HTML输出。攻击者可以利用这一点进行两次点击攻击,当受害者点击恶意链接并确认后,JavaScript代码会在他们的浏览器上执行。 解决方案是升级到5.13.2或更高版本。披露时间线显示从2026年1月开始通知厂商,并在1月底发布了补丁版本。CVE编号是CVE-2026-25616,发现者是Egidio Romano。 用户的需求是总结内容在100字以内,所以需要抓住关键点:软件名称、漏洞类型、影响版本、攻击方式、解决方案和CVE编号。 现在我需要把这些信息浓缩成一句话或两句话,确保不超过字数限制,并且表达清晰。比如:“Blesta软件存在反射型XSS漏洞(CVE-2026-25616),影响3.2.0至5.13.1版本。攻击者通过构造恶意链接诱导用户点击并执行JavaScript代码。建议升级至5.13.2或更高版本修复。” 这样既涵盖了主要信息,又简洁明了。 </think> Blesta软件存在反射型XSS漏洞(CVE-2026-25616),影响3.2.0至5.13.1版本。攻击者通过构造恶意链接诱导用户点击并执行JavaScript代码。建议升级至5.13.2或更高版本修复。 2026-2-5 04:50:50 Author: seclists.org(查看原文) 阅读量:3 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Egidio Romano <n0b0d13s () gmail com>
Date: Wed, 4 Feb 2026 11:47:47 +0100
---------------------------------------------------------------------------
Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability
---------------------------------------------------------------------------


[-] Software Link:

https://www.blesta.com


[-] Affected Versions:

All versions from 3.2.0 to 5.13.1.


[-] Vulnerability Description:

User input passed through the "confirm_url" GET parameter to the
/dialog/confirm and /client_dialog/confirm/ endpoints is not properly
sanitized before being used to generate HTML output; specifically,
before being used as action attribute of an HTML form. This can be
exploited by attackers to perform 2-clicks Reflected Cross-Site
Scripting (XSS) attacks.


[-] Proof of Concept:

An attacker may trick a victim Blesta user into clicking on links like these:

http://[blesta]/dialog/confirm/?confirm_url=javascript:alert('XSS')
http://[blesta]/client_dialog/confirm/?confirm_url=javascript:eval(atob('YWxlcnQoJ1hTUyBvbiAnK2RvY3VtZW50LmRvbWFpbik='))

When the victim user clicks on the malicious link and then they also
click on the "Yes" button, the form will be submitted, and the
attacker-controlled JavaScript code will be executed on the victim
user's browser.


[-] Solution:

Apply the vendor patch or upgrade to version 5.13.2 or later.


[-] Disclosure Timeline:

[19/01/2026] - Vendor notified

[22/01/2026] - CVE identifier requested

[28/01/2026] - Version 5.13.2 released

[31/01/2026] - Version 5.13.3 released to address regressions
introduced in 5.13.2

[03/02/2026] - CVE identifier assigned

[04/02/2026] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.org) has
assigned the name CVE-2026-25616 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Other References:

https://www.blesta.com/2026/01/28/security-advisory/


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-01
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [KIS-2026-01] Blesta <= 5.13.1 (confirm_url) Reflected Cross-Site Scripting Vulnerability Egidio Romano (Feb 04)

文章来源: https://seclists.org/fulldisclosure/2026/Feb/0
如有侵权请联系:admin#unsafe.sh