This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Please send comments or corrections for these vulnerabilities to: security[ {at} ]dradisframework{ [dot] }org
An author can access images from projects they don't have access to.
Affects: Pro: 4.12.0 and possibly older versions of Dradis.
Reported by: Gregory Ransom
Default SSH host keys used in the image
Affects: Pro: 4.11.0 and possibly older versions of Dradis.
Reported by: Arnaud PASCAL (Vaadata)
Insufficient validation around file names could result in arbitrary code execution
Affects: Pro: 4.11.0 and possibly older versions of Dradis.
Reported by: Arnaud PASCAL (Vaadata)
An author removed from the project can still receive notifications from the project.
Affects: Pro: 4.10.0 and possibly older versions of Dradis.
An author can read upload console output from projects they don't have access to.
Affects: Pro: 4.10.0 and possibly older versions of Dradis.
An author can read system files when they are not authorized to access it.
Affects: Pro: 4.8.0 and 4.9.0
Reported by: Joseph Foote
Insufficient validation around avatars resulted in arbitrary JavaScript code execution.
Affects: Pro: 4.7.0 and possibly older versions of Dradis.
Credit: Elliot RASCH
An author can read issue content when they are not authorized to access it.
Affects: CE: 4.4.0, Pro: 4.4.1 and possibly older versions of Dradis.
The password reset token can be reused in a 5-minute window.
Affects: Pro: 4.2.0 and possibly older versions of Dradis.
Credit: Goktug Serez
An author can access screenshots from another project.
Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.
An author can gain authorized access.
Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.
Credit: Kristian Varnai
An author can read issue content when they are not authorized to access it.
Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.
Credit: Kristian Varnai
After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.
Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.
Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.
Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.
Credit: Michelle Flanagan
Insufficient validation around avatars resulted in arbitrary JavaScript code execution.
Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.
An author who is disabled by admins may continue to use the API.
Affects: Pro: 3.5.1 and possibly older versions of Dradis.
Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.
Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.
Credit: Erik Cabetas
Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.
Affects: Pro 3.6.0 and possibly older versions of Dradis.
An author with an active session who is disabled by admins may continue to operate within the application
Affects: Pro 3.5.1 and possibly older versions of Dradis.
An admin can update another user's comment by sending a custom request.
Affects: Pro 3.5.0 and possibly older versions of Dradis.
Credit: Security Compass
An author without permission on a project may obtain info from that project using the API.
Affects: Pro 3.4.1 and possibly older versions of Dradis.
Credit: Bastian Faure & Florian Nivette
Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.
Affects: Pro 3.4.1 and possibly older versions of Dradis.
Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.
Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.
Credit: Props go to Emil Sågfors.
Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.
Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.
A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.
Affects: Pro: 3.4 to 3.2.
Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.
Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.
Credit: Props go to an anonymous Dradis user.
Inline display of some attachments resulted in arbitrary JavaScript code execution.
Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.
Credit: Props go to an anonymous Dradis user.
Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.
Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.
Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.
Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.
Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.
Credit: Props go to Robert Diepeveen
Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.
Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.
Credit: Props go to Marly Wilson
Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.
Affects: 3.1.0.rc1 and possibly older versions of Dradis.
Credit: Props go to Mahmoud Reda
Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.
Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.
Credit: Props go to Russ McRee for identifying this issue.
CVE not assigned yet
The authentication filter was found to be missing in two components of the server module (notes and configuration).
This was fixed in revision 598
Affects: 2.0.0
CVE-2009-0670 (candidate)
Your email is kept private. We don't do the spam thing.