Medium Risk Advisory Featured



This advisory describes an identified vulnerability in the Dradis Pro application Version 3.4.1. One medium-risk vulnerability was identified within the application.


The API of Dradis Pro does not properly apply authorization control to project endpoints, which allows any user to access the content of a project, including the vulnerability description. This exposes sensitive information to users who are not part of the project team.

Risk Level


Affected Vendor

Product Vendor

Product Name

Affected Version

Dradis Dradis Pro application 3.4.1


Product Description

Dradis Pro is a collaborative reporting application. The project’s official website is The latest version of the application is 3.5.0.

Vulnerabilities List:

One vulnerability was identified within the Dradis Pro application:


Update to version 3.5.0



  1. Initial Discovery: 12/03/2019
  2. Contact with vendor: 12/04/2019
  3. Vendor released patched version 3.5.0: 12/19/2019




Security Risk


Access Vector

CVE-2019-19946 Medium Information Disclosure Remote

The Dradis Pro application was affected by one insecure direct object reference vulnerability (IDOR). These vulnerabilities allowed any user to extract project content through the API to and disclose sensitive information about vulnerabilities affecting Dradis clients.

The vulnerability was located on the <span style="font-size:16px;background-color:#c2d6f2;"><code><span style="font-size:16px;">/prop/api/issues/</span></code></span> endpoint. This attack can be demonstrated with the following payload:

GET /pro/api/issues/ HTTP/1.1
Connection: close
Accept-Encoding: gzip, deflate
Accept: */*
Dradis-Project-Id: <strong><span style="color:#c2282e;">[PROJECT ID]</span></strong>
Authorization: Token token="<strong>[REDACTED]</strong>"

- Payload used to access project content

This could lead to leaking sensitive information related to clients.

Florian nivette

About the author, Florian Nivette

Senior Security Consultant

Florian Nivette (CEH, CHFI, CEI, GSNA) is a Bishop Fox Alumnus who was a Senior Security Consultant at Bishop Fox, where he focused on application and network penetration testing and in-depth OS-level security. Florian is an active security researcher focusing on web applications, with a number of published CVEs (CVE-2018-11349, CVE-2018-11350, CVE-2018-11351, CVE-2018-13407, CVE-2018-11408, CVE-2018-13409, CVE-2017-77737, CVE-2017-5870, and CVE-2017-6086). He is one of the chief organizers of Nuit du Hack CTF, the largest and most well-known capture-the-flag competition in France, which draws thousands of security researchers annually.

More by Florian

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.