Impact
The vendor has identified an input validation flaw in Blesta versions 3.x through 5.x prior to 5.13.3. This weakness, cataloged as CWE‑79, allows an attacker to inject malicious JavaScript or other code through crafted input that is not correctly sanitized. The result can be a traditional client‑side cross‑site scripting (XSS) attack, where an attacker can deface a page, steal session cookies, or perform other client‑side compromise tasks. The vulnerability does not directly grant an attacker arbitrary code execution on the server, but it can be used to facilitate phishing or other attacks against end‑users that visit the affected pages.
Affected Systems
Based on the description, it is inferred that the vulnerability affects the Blesta web application used for billing and support. The affected versions include the entire 3.x series and the 5.x series before the 5.13.3 release. Unless patches beyond 5.13.3 are applied, deployments running these releases are potentially vulnerable.
Risk and Exploitability
The CVSS score of 4.7 indicates a moderate severity. An EPSS probability of < 1% suggests that there is a tangible but low chance of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog, meaning there are no confirmed widespread exploits. Based on the description, it is inferred that an attacker could supply malicious payloads through standard HTTP requests to the affected Blesta web interface, which are then reflected in the browser. Because the flaw tamps user input handling, the vulnerability is generally exploitable remotely via these standard web requests.
OpenCVE Enrichment