关键漏洞信息 Fixed in Dradis 4.16.0 Vulnerability: Authenticated (author) persistent cross-site scripting Impact: High Description: Insufficient validation around Gateway themes led to arbitrary JavaScript code execution. Fixed in Dradis 4.15.0 Vulnerability: Authenticated (author) persistent cross-site scripting Impact: High Description: Insufficient validation around issue content led to arbitrary JavaScript code execution when syncing Issue Library entries with issues. Fixed in Dradis 4.13.0 Vulnerability: Authenticated (author) horizontal privilege escalation Impact: Medium Description: Authors could access images from projects they shouldn't have access to. Fixed in Dradis 4.12.0 Vulnerability: Use of default cryptographic key Impact: Low Description: Default SSH host keys used in the image. Vulnerability: Authenticated (author) path traversal Impact: High Description: Insufficient validation around file names led to arbitrary code execution. Fixed in Dradis 4.11.0 Vulnerability: Authenticated (author) information disclosure Impact: Low Description: Authors who were removed from a project could still receive notifications from the project. Fixed in Dradis 4.10.0 Vulnerability: Authenticated (author) broken access control: read access to system files Impact: Medium Description: Authors could read system files they were not authorized to. Fixed in Dradis 3.4.1 Vulnerability: Path traversal vulnerability Impact: High Description: Uploading a malicious zip file could place files in unintended locations on the filesystem.