CVE-2023-50458 is an information disclosure vulnerability identified in Dradis Pro and Dradis Community editions. Dradis, a widely used documentation tool among penetration testers for creating and managing penetration testing reports, was affected by this vulnerability. The issue was resolved in version 4.11.0.
The vulnerability resides in the “Output Console”, which displays log information during the process of uploading test results for use across different plugins. Observations indicate that uploaded files are placed in a job queue prior to execution. If this queue contains multiple pending jobs, the “Output Console” can expose information about jobs associated with other projects, potentially revealing data to which the tester should not have access. By uploading a specially crafted dummy file designed to induce a prolonged processing time, an attacker could exploit this behavior to intercept and capture sensitive information displayed in the “Output Console” by the active plugins.
Disclosure Timeline
| 08.12.2023 | Initial notification per email |
| 08.12.2023 | Receipt confirmation |
| 11.12.2023 | Vulnerability confirmed |
| n/a | Security Roots publishes v4.11.0 that fixes the vulnerability |
| 04.07.2025 | This public disclosure 🙂 |
* The Dradis Pro logo is copyrighted by Security Roots Ltd.
