Security Reports

This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: security[ {at} ]dradisframework{ [dot] }org

Fixed in Dradis 3.6.0

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

Fixed in Dradis 3.1.0.rc2

medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

Fixed in Dradis 2.5.2

high: Unauthenticated reflected cross-site scripting

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

Fixed in Dradis 2.0.1

high: Missing authentication

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)