Francesco Mercatili

**Name of the Vulnerable Software and Affected Versions** GruppoSCAI RealGimm version 1.1.37p38 **Description** A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component allows attackers to read any file in the filesystem via supplying a crafted XML file. **Recommendations** For GruppoSCAI RealGimm version 1.1.37p38, consider disabling the VerifichePeriodiche.aspx component until a patch is available to prevent exploitation of the XXE vulnerability.

**Name of the Vulnerable Software and Affected Versions** GruppoSCAI RealGimm version 1.1.37p38 **Description** A SQL injection issue in the `Data Richiesta dal` parameter allows attackers to access the database and execute arbitrary commands via a crafted SQL query. **Recommendations** For GruppoSCAI RealGimm version 1.1.37p38, consider restricting access to the `Data Richiesta dal` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GruppoSCAI RealGimm version 1.1.37p38 **Description** The issue allows attackers to execute arbitrary code via uploading a crafted HTML file, exploiting an arbitrary file upload vulnerability in the Carica immagine function. **Recommendations** For GruppoSCAI RealGimm version 1.1.37p38, consider restricting access to the Carica immagine function to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GruppoSCAI RealGimm version 1.1.37p38 **Description** The issue is related to an arbitrary file upload vulnerability in the Gestione Documentale module, which allows attackers to execute arbitrary code by uploading a crafted file. **Recommendations** For GruppoSCAI RealGimm version 1.1.37p38, consider restricting access to the Gestione Documentale module to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GruppoSCAI RealGimm version 1.1.37p38 **Description** An improper error handling issue in the ErroreNonGestito.aspx component allows attackers to obtain sensitive technical information via a crafted SQL query. **Recommendations** For GruppoSCAI RealGimm version 1.1.37p38, consider restricting access to the ErroreNonGestito.aspx component until a patch is available. As a temporary workaround, avoid using crafted SQL queries in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GruppoSCAI RealGimm version 1.1.37p38 **Description** Multiple reflected cross-site scripting (XSS) vulnerabilities in the ErroreNonGestito.aspx component allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the `VIEWSTATE` parameter. **Recommendations** For GruppoSCAI RealGimm version 1.1.37p38, consider disabling the ErroreNonGestito.aspx component or restricting access to it until a patch is available. Avoid using the `VIEWSTATE` parameter in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.