Security Reports

This page lists all security vulnerabilities fixed in released versions of Dradis. Each vulnerability is given a security impact rating by Dradis core team - please note that this rating may vary from platform to platform. We also list the versions of Dradis the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please send comments or corrections for these vulnerabilities to: dradis[ {at} ]nomejortu{ [dot] }com.

Fixed in Dradis 2.5.2

high: Unauthenticated reflected cross-site scripting

Insufficient output encoding could result in arbitrary JavaScript code being executed if a specially crafted file was uploaded by an authenticated user.

Affects: 2.5.1, 2.5.0 and possibly older versions of Dradis.

Credit: Props go to Russ McRee for identifying this issue.

CVE not assigned yet

Fixed in Dradis 2.0.1

high: Missing authentication

The authentication filter was found to be missing in two components of the server module (notes and configuration).

This was fixed in revision 598

Affects: 2.0.0

CVE-2009-0670 (candidate)