CVE-2023-31223 | Cyber Solutions By Thales

Abstract Advisory Information

The application is prone to a stored XSS (Cross-Site Scripting) attack.

Author: Elliot RASCH

Version affected

Name: Dradis Pro

Versions: V4.7.0

Common Vulnerability Scoring System

8.7

CVSS:3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Patches

V4.8

References

https://dradisframework.com/blog/2023/04/new-in-dradis-pro-v4-8/

Vulnerability Disclosure Timeline

02/03/2022: Vulnerability discovery
13/03/2022: Vulnerability Report to CERT-XLM
17/03/2022: Vulnerability Report to Vendor through Investigation
17/03/2022: Vulnerability PoC sent to vendor
17/03/2022: Vulnerability acknowledged by Vendor, forwarded PoC to the correct team.
14/04/2022: Updated asked to the vendor
25/04/2023: Vendor contacted again for an update
25/04/2023: Acknowledge from vendor. Vulnerability fixed in v4.8
25/04/2023: Request CVE ID to Mitre
26/04/2023: Use CVE-2023-31223.
09/05/2023: Expected Vulnerability disclosure