lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAJeQoQeyzypNHRXTN3B1ymDU_hvaTCtiok0o9rPo9ps5jQg0Zg@mail.gmail.com>
Date: Wed, 4 Feb 2026 11:50:59 +0100
From: Egidio Romano <n0b0d13s@...il.com>
To: fulldisclosure@...lists.org
Cc: submissions@...ketstormsecurity.com, submit@...sec.com
Subject: [FD] [KIS-2026-03] Blesta <= 5.13.1 (2Checkout) Multiple PHP Object
 Injection Vulnerabilities

--------------------------------------------------------------------------
Blesta <= 5.13.1 (2Checkout) Multiple PHP Object Injection Vulnerabilities
--------------------------------------------------------------------------


[-] Software Link:

https://www.blesta.com


[-] Affected Versions:

All versions from 3.0.0 to 5.13.1.


[-] Vulnerabilities Description:

The vulnerabilities exist because user input passed through the
"invoices" POST parameter or the "item-ext-ref" GET parameter when
dispatching the Checkout2::validate() or Checkout2::success() method
is not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by malicious client
users to inject arbitrary PHP objects into the application scope,
allowing them to perform a variety of attacks, such as executing
arbitrary PHP code (RCE).

Successful exploitation of this issue requires the 2Checkout payment
gateway to be installed.


[-] Proof of Concept:

https://karmainsecurity.com/pocs/CVE-2026-25614.php


[-] Solution:

Apply the vendor patch or upgrade to version 5.13.2 or later.


[-] Disclosure Timeline:

[19/01/2026] - Vendor notified

[22/01/2026] - CVE identifier requested

[28/01/2026] - Version 5.13.2 released

[31/01/2026] - Version 5.13.3 released to address regressions
introduced in 5.13.2

[03/02/2026] - CVE identifier assigned

[04/02/2026] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.org) has
assigned the name CVE-2026-25614 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Other References:

https://www.blesta.com/2026/01/28/security-advisory/


[-] Original Advisory:

https://karmainsecurity.com/KIS-2026-03
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ