
CVE-2023-50458
https://notcve.org/view.php?id=CVE-2023-50458
10 Jul 2025 — In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs. • https://github.com/dradis/dradis-ce/tags • CWE-1230: Exposure of Sensitive Information Through Metadata •

CVE-2023-50786
https://notcve.org/view.php?id=CVE-2023-50786
05 Jul 2025 — Dradis through 4.16.0 allows referencing external images (resources) over HTTPS, instead of forcing the use of embedded (uploaded) images. This can be leveraged by an authorized author to attempt to steal the Net-NTLM hashes of other authors on a Windows domain network. • https://dradis.com • CWE-294: Authentication Bypass by Capture-replay •

CVE-2023-31223
https://notcve.org/view.php?id=CVE-2023-31223
25 Apr 2023 — Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars. • https://dradisframework.com/ce/security_reports.html#fixed-4.8.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2022-30028
https://notcve.org/view.php?id=CVE-2022-30028
24 Jun 2022 — Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token. Dradis Professional Edition versiones anteriores a 4.3.0, permite a atacantes cambiar la contraseña de una cuenta por medio del reúso de un token de restablecimiento de contraseña • https://dradisframework.com/ce/security_reports.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVE-2019-19946
https://notcve.org/view.php?id=CVE-2019-19946
16 Mar 2020 — The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team. La API en Dradis Pro versión 3.4.1, permite a cualquier usuario extraer el contenido de un proyecto, inclusive si este usuario no es parte del equipo del proyecto. • https://know.bishopfox.com/advisories • CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2019-5925
https://notcve.org/view.php?id=CVE-2019-5925
12 Mar 2019 — Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en Dradis Community Edition, en versiones v3.11 y anteriores, y en Dradis Professional Edition, en versiones v3.1.1 y anteriores, permite a los atacantes autenticados inyectar scripts web o HTML arbitrario... • http://jvn.jp/en/jp/JVN40288903/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •