Headline
CVE-2023-31223: Security Reports | Dradis Framework
Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars.
This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by the Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Please send comments or corrections for these vulnerabilities to: security[ {at} ]dradisframework{ [dot] }org
Fixed in Dradis 4.8.0****medium: Authenticated (author) persistent cross-site scripting
Insufficient validation around avatars resulted in arbitrary JavaScript code execution.
Affects: Pro: 4.7.0 and possibly older versions of Dradis.
Fixed in Dradis 4.5.0****medium: Authenticated (author) broken access control: read access to issue content
An author can read issue content when they are not authorized to access it.
Affects: CE: 4.4.0, Pro: 4.4.1 and possibly older versions of Dradis.
Fixed in Dradis 4.3.0****Low: Password reset token can be reused in a 5-minute window
The password reset token can be reused in a 5-minute window.
Affects: Pro: 4.2.0 and possibly older versions of Dradis.
Credit: Goktug Serez
Fixed in Dradis 4.2.0****low: Authenticated author broken access control: read access to screenshots
An author can access screenshots from another project.
Affects: CE: 4.1.0, Pro: 4.1.2 and possibly older versions of Dradis.
Fixed in Dradis 4.1.2****high: Authenticated (author) path traversal vulnerability
An author can gain authorized access.
Affects: CE: 4.1.0, Pro: 4.1.1 and possibly older versions of Dradis.
Credit: Kristian Varnai
Fixed in Dradis 4.1.0****medium: Authenticated (author) broken access control: read access to issue content
An author can read issue content when they are not authorized to access it.
Affects: CE: 4.0.0, Pro: 4.0.0 and possibly older versions of Dradis.
Credit: Kristian Varnai
Fixed in Dradis 4.0.0****medium: Authenticated (contributor) information disclosure
After a contributor had been assigned Gateway access to a project by an admin user they may retain access to the project after the projects team has been changed.
Affects: Pro: 3.12.2 and possibly older versions of Dradis when using the Gateway addon.
Fixed in Dradis 3.11****medium: Authenticated (admin) persistent cross-site scripting
Insufficient validation around custom fields resulted in arbitrary JavaScript code execution.
Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.
Credit: Michelle Flanagan
Fixed in Dradis 3.10.1****medium: Authenticated (author) persistent cross-site scripting
Insufficient validation around avatars resulted in arbitrary JavaScript code execution.
Affects: CE: 3.15, Pro: 3.5.0 and possibly older versions of Dradis.
Fixed in Dradis 3.9.1****high: Authenticated (author) information disclosure
An author who is disabled by admins may continue to use the API.
Affects: Pro: 3.5.1 and possibly older versions of Dradis.
Fixed in Dradis 3.7.0****medium: Authenticated persistent cross-site scripting
Insufficient output encoding around Comment textareas input resulted in arbitrary JavaScript code execution.
Affects: CE: 3.16, Pro: 3.6.0 and possibly older versions of Dradis.
Credit: Erik Cabetas
low: Authenticated (admin) persistent cross-site scripting
Insufficient output encoding around the Methodology templates resulted in arbitrary JavaScript code execution.
Affects: Pro 3.6.0 and possibly older versions of Dradis.
Fixed in Dradis 3.6.0****high: Authenticated (author) information disclosure
An author with an active session who is disabled by admins may continue to operate within the application
Affects: Pro 3.5.1 and possibly older versions of Dradis.
medium: Authenticated (admin) data modification
An admin can update another user’s comment by sending a custom request.
Affects: Pro 3.5.0 and possibly older versions of Dradis.
Credit: Security Compass
Fixed in Dradis 3.5.0****high: Authenticated (author) information disclosure
An author without permission on a project may obtain info from that project using the API.
Affects: Pro 3.4.1 and possibly older versions of Dradis.
Credit: Bastian Faure & Florian Nivette
medium: Authenticated (author) information disclosure
Mentioning a user in a comment, which does not have access to the project, could result in disclosure of content from future comments in the same thread.
Affects: Pro 3.4.1 and possibly older versions of Dradis.
Fixed in Dradis 3.4.1****high: Authenticated (author) path traversal vulnerability
Uploading a malicious zip file it is possible to place files in undesired locations on the filesystem.
Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.
Credit: Props go to Emil Sågfors.
medium: Authenticated (author) information disclosure
Information from other projects could be disclosed to other users in the system that happened to be using the application concurrently.
Affects: CE 3.14, Pro 3.4 and possibly older versions of Dradis.
low: Authenticated (admin) SQL Injection
A SQL injection vector exploitable by administrator accounts only was identified affecting the Contributors module.
Affects: Pro: 3.4 to 3.2.
Fixed in Dradis 3.2.0****medium: Authenticated persistent cross-site scripting
Insufficient output encoding around Evidence title resulted in arbitrary JavaScript code execution.
Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.
Credit: Props go to an anonymous Dradis user.
medium: Authenticated persistent cross-site scripting
Inline display of some attachments resulted in arbitrary JavaScript code execution.
Affects: CE: 3.11, Pro: 3.1.2 and possibly older versions of Dradis.
Credit: Props go to an anonymous Dradis user.
Fixed in Dradis 3.11.1****medium: Authenticated persistent cross-site scripting
Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.
Affects: CE: 3.11, Pro: 3.1.1 and possibly older versions of Dradis.
Credit: Props go to Ohji Kashiwazaki and Sabina Rzeźwicka.
CVE-2019-5925
Fixed in Dradis 3.10.0****medium: Authenticated persistent cross-site scripting
Insufficient output encoding around the Textile textarea input resulted in arbitrary JavaScript code execution.
Affects: CE: 3.9, Pro: 2.9 and possibly older versions of Dradis.
Credit: Props go to Robert Diepeveen
Fixed in Dradis 3.6.0****medium: Authenticated persistent cross-site scripting
Insufficient output encoding around the revision history module resulted in arbitrary JavaScript code execution.
Affects: CE: 3.x, Pro: 2.X and possibly older versions of Dradis.
Credit: Props go to Marly Wilson
Fixed in Dradis 3.1.0.rc2****medium: Authenticated persistent cross-site scripting
Insufficient output encoding around the node labels resulted in arbitrary JavaScript code execution.
Affects: 3.1.0.rc1 and possibly older versions of Dradis.
Credit: Props go to Mahmoud Reda
Fixed in Dradis 2.5.2****high: Unauthenticated reflected cross-site scripting
Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.
Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.
Credit: Props go to Russ McRee for identifying this issue.
CVE not assigned yet
Fixed in Dradis 2.0.1****high: Missing authentication
The authentication filter was found to be missing in two components of the server module (notes and configuration).
This was fixed in revision 598
Affects: 2.0.0
CVE-2009-0670 (candidate)
Related news
Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.
Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token.