CVE-2022-30028: Security Reports | Dradis Framework

This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: security[ {at} ]dradisframework{ [dot] }org

Fixed in Dradis 4.3.0****Low: Password reset token can be reused in a 5-minute window

The password reset token can be reused in a 5-minute window.

Affects: Pro: 4.2.0 and possibly older versions of Dradis.

Credit: Goktug Serez

Fixed in Dradis 4.2.0****low: Authenticated author broken access control: read access to screenshots

An author can access screenshots from another project.

Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.

Fixed in Dradis 4.1.2****high: Authenticated (author) path traversal vulnerability

An author can gain authorized access.

Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.

Credit: Kristian Varnai

Fixed in Dradis 4.1.0****medium: Authenticated (author) broken access control: read access to issue content

An author can read issue content when they are not authorized to access it.

Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.

Credit: Kristian Varnai

Fixed in Dradis 4.0.0****medium: Authenticated (contributor) information disclosure

After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.

Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.

Fixed in Dradis 3.11****medium: Authenticated (admin) persistent cross-site scripting

Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Credit: Michelle Flanagan

Fixed in Dradis 3.10.1****medium: Authenticated (author) persistent cross-site scripting

Insufficient validation around avatars resulted in arbitrary JavaScript code execution.

Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.

Fixed in Dradis 3.9.1****high: Authenticated (author) information disclosure

An author who is disabled by admins may continue to use the API.

Affects: Pro: 3.5.1 and possibly older versions of Dradis.

Fixed in Dradis 3.7.0****medium: Authenticated persistent cross-site scripting

Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.

Credit: Erik Cabetas

low: Authenticated (admin) persistent cross-site scripting

Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.

Affects: Pro 3.6.0 and possibly older versions of Dradis.

Fixed in Dradis 3.6.0****high: Authenticated (author) information disclosure

An author with an active session who is disabled by admins may continue to operate within the application

Affects: Pro 3.5.1 and possibly older versions of Dradis.

medium: Authenticated (admin) data modification

An admin can update another user’s comment by sending a custom request.

Affects: Pro 3.5.0 and possibly older versions of Dradis.

Credit: Security Compass

Fixed in Dradis 3.5.0****high: Authenticated (author) information disclosure

An author without permission on a project may obtain info from that project using the API.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Credit: Bastian Faure & Florian Nivette

medium: Authenticated (author) information disclosure

Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.

Affects: Pro 3.4.1 and possibly older versions of Dradis.

Fixed in Dradis 3.4.1****high: Authenticated (author) path traversal vulnerability

Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

Credit: Props go to Emil Sågfors.

medium: Authenticated (author) information disclosure

Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.

Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.

low: Authenticated (admin) SQL Injection

A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.

Affects: Pro: 3.4 to 3.2.

Fixed in Dradis 3.2.0****medium: Authenticated persistent cross-site scripting

Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

medium: Authenticated persistent cross-site scripting

Inline display of some attachments resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.

Credit: Props go to an anonymous Dradis user.

Fixed in Dradis 3.11.1****medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.

Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.

CVE-2019-5925

Fixed in Dradis 3.10.0****medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.

Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.

Credit: Props go to Robert Diepeveen

Fixed in Dradis 3.6.0****medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.

Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.

Credit: Props go to Marly Wilson

Fixed in Dradis 3.1.0.rc2****medium: Authenticated persistent cross-site scripting

Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.

Affects: 3.1.0.rc1 and possibly older versions of Dradis.

Credit: Props go to Mahmoud Reda

Fixed in Dradis 2.5.2****high: Unauthenticated reflected cross-site scripting

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

Fixed in Dradis 2.0.1****high: Missing authentication

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)