Security Reports

This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: security[ {at} ]dradisframework{ [dot] }org

Fixed in Dradis 4.15.0

high: Authenticated (author) persistent cross-site scripting

Insufficient validation around issue content resulted in arbitrary JavaScript code execution when syncing Issue Library entries with issues.

Affects: Pro: 4.14.0.

Reported by: Viris Team

Fixed in Dradis 4.13.0

medium: Authenticated (author) horizontal privilege escalation

An author can access images from projects they don't have access to.

Affects: Pro: 4.12.0 and possibly older versions of Dradis.

Reported by: Gregory Ransom

Fixed in Dradis 4.12.0

low: Use of default cryptographic key

Default SSH host keys used in the image

Affects: Pro: 4.11.0 and possibly older versions of Dradis.

Reported by: Arnaud PASCAL (Vaadata)

high: Authenticated (author) path traversal

Insufficient validation around file names could result in arbitrary code execution

Affects: Pro: 4.11.0 and possibly older versions of Dradis.

Reported by: Arnaud PASCAL (Vaadata)

Fixed in Dradis 4.11.0

low: Authenticated (author) information disclosure

An author removed from the project can still receive notifications from the project.

Affects: Pro: 4.10.0 and possibly older versions of Dradis.

low: Authenticated (author) information disclosure in the output console of upload manager

An author can read upload console output from projects they don't have access to.

Affects: Pro: 4.10.0 and possibly older versions of Dradis.

Fixed in Dradis 4.10.0

medium: Authenticated (author) broken access control: read access to system files

An author can read system files when they are not authorized to access it.

Affects: Pro: 4.8.0 and 4.9.0

Reported by: Joseph Foote

Fixed in Dradis 4.8.0

medium: Authenticated (author) persistent cross-site scripting

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: Pro: 4.7.0 and possibly older versions of Dradis.

Credit: Elliot RASCH

Fixed in Dradis 4.5.0

medium: Authenticated (author) broken access control: read access to issue content

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.4.0, Pro: 4.4.1 and possibly older versions of Dradis.

Fixed in Dradis 4.3.0

Low: Password reset token can be reused in a 5-minute window

The password reset token can be reused in a 5-minute window.

Affects: Pro: 4.2.0 and possibly older versions of Dradis.

Credit: Goktug Serez

Fixed in Dradis 4.2.0

low: Authenticated author broken access control: read access to screenshots

An author can access screenshots from another project.

Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.

Fixed in Dradis 4.1.2

high: Authenticated (author) path traversal vulnerability

An author can gain authorized access.

Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.

Credit: Kristian Varnai

Fixed in Dradis 4.1.0

medium: Authenticated (author) broken access control: read access to issue content

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.

Credit: Kristian Varnai

Fixed in Dradis 4.0.0

medium: Authenticated (contributor) information disclosure

After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.

Fixed in Dradis 3.11

medium: Authenticated (admin) persistent cross-site scripting

Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Credit: Michelle Flanagan

Fixed in Dradis 3.10.1

medium: Authenticated (author) persistent cross-site scripting

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Fixed in Dradis 3.9.1

high: Authenticated (author) information disclosure

An author who is disabled by admins may continue to use the API.

Affects: Pro: 3.5.1 and possibly older versions of Dradis.

Fixed in Dradis 3.7.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

low: Authenticated (admin) persistent cross-site scripting

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

Fixed in Dradis 3.6.0

high: Authenticated (author) information disclosure

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

medium: Authenticated (admin) data modification

An admin can update another user's comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

Fixed in Dradis 3.5.0

high: Authenticated (author) information disclosure

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

medium: Authenticated (author) information disclosure

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Fixed in Dradis 3.4.1

high: Authenticated (author) path traversal vulnerability

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

medium: Authenticated (author) information disclosure

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

low: Authenticated (admin) SQL Injection

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

Fixed in Dradis 3.2.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

medium: Authenticated persistent cross-site scripting

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

Fixed in Dradis 3.11.1

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

Fixed in Dradis 3.10.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

Fixed in Dradis 3.6.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

Fixed in Dradis 3.1.0.rc2

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

Fixed in Dradis 2.5.2

high: Unauthenticated reflected cross-site scripting

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

Fixed in Dradis 2.0.1

high: Missing authentication

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)