Gianluca Palma

15 exploits Active since Oct 2020
CVE-2020-25516 WRITEUP MEDIUM WRITEUP
Wso2 Enterprise Integrator < 6.6.0 - XSS
WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-site scripting (XSS) vulnerability in BPMN explorer tasks.
CVSS 5.4
CVE-2020-28047 WRITEUP MEDIUM WRITEUP
Web-audimex Audimexee < 14.1.1 - XSS
AudimexEE before 14.1.1 is vulnerable to Reflected XSS (Cross-Site-Scripting). If the recommended security configuration parameter "unique_error_numbers" is not set, remote attackers can inject arbitrary web script or HTML via 'action, cargo, panel' parameters that can lead to data leakage.
CVSS 5.4
CVE-2020-28115 WRITEUP HIGH WRITEUP
Web-audimex Audimexee < 14.1.1 - SQL Injection
SQL Injection vulnerability in "Documents component" found in AudimexEE version 14.1.0 allows an attacker to execute arbitrary SQL commands via the object_path parameter.
CVSS 8.8
CVE-2021-30055 WRITEUP HIGH WRITEUP
Knowage Suite <7.1 - SQL Injection
A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report.
CVSS 8.8
CVE-2021-30056 WRITEUP MEDIUM WRITEUP
Knowage Suite <7.4 - XSS
Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in /restful-services/publish via the 'EXEC_FROM' parameter that can lead to data leakage.
CVSS 5.4
CVE-2021-30057 WRITEUP MEDIUM WRITEUP
Knowage Suite <7.1 - XSS
A stored HTML injection vulnerability exists in Knowage Suite version 7.1. An attacker can inject arbitrary HTML in "/restful-services/2.0/analyticalDrivers" via the 'LABEL' and 'NAME' parameters.
CVSS 4.8
CVE-2021-30058 WRITEUP MEDIUM WRITEUP
Knowage Suite <7.4 - XSS
Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter.
CVSS 6.1
CVE-2021-30211 WRITEUP MEDIUM WRITEUP
Knowage Suite 7.3 - XSS
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.
CVSS 5.4
CVE-2021-30212 WRITEUP MEDIUM WRITEUP
Knowage Suite 7.3 - XSS
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter.
CVSS 5.4
CVE-2021-30213 WRITEUP MEDIUM WRITEUP
Knowage Suite 7.3 - XSS
Knowage Suite 7.3 is vulnerable to unauthenticated reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter.
CVSS 6.1
CVE-2021-30214 WRITEUP MEDIUM WRITEUP
Knowage Suite 7.3 - XSS
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter.
CVSS 5.4
CVE-2023-22958 WRITEUP MEDIUM WRITEUP
Syracom Secure Login < 3.1.1.0 - Open Redirect
The Syracom Secure Login plugin before 3.1.1.0 for Jira may allow spoofing of 2FA PIN validation via the plugins/servlet/twofactor/public/pinvalidation target parameter.
CVSS 6.1
CVE-2023-49032 WRITEUP CRITICAL WRITEUP
LTB Self Service Password <1.5.4 - RCE
An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary phone.
CVSS 9.8
CVE-2024-34523 WRITEUP HIGH WRITEUP
AChecker 1.5 - Path Traversal
AChecker 1.5 allows remote attackers to read the contents of arbitrary files via the download.php path parameter by using Unauthenticated Path Traversal. This occurs through readfile in PHP. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS 7.5
CVE-2025-57521 WRITEUP MEDIUM WRITEUP
Bambu Studio <2.1.1.52 - RCE
Bambu Studio 2.1.1.52 and earlier is affected by a vulnerability that allows arbitrary code execution during application startup. The application loads a network plugin without validating its digital signature or verifying its authenticity. A local attacker can exploit this behavior by placing a malicious component in the expected location, which is controllable by the attacker (e.g., under %APPDATA%), resulting in code execution within the context of the user. The main application is digitally signed, which may allow a malicious component to inherit trust and evade detection by security solutions that rely on signed parent processes.
CVSS 6.1