My blog with blackjack and luxury 0-day, I’m joking only blackjack

Contacts & Social

Mastodon.

@zi0Black on Twitter.

@zi0Black on Reddit.

CVEs

• Arbitrary files write via Directory Traversal via a crafted XML document CVE-2019-18212 with @TheZ3ro

• XXE via a crafted XML document, with resultant SSRF CVE-2019-18213 with @TheZ3ro

• JWT NULL signature attack CVE-2020-28042

• QNAP Q’center Virtual Appliance < 1.12.1014 Stored XSS CVE-2021-28807

• QNAP Q’center Post-Auth Remote Code Execution via QPKG CVE-2021-28807

• TIM CPE Stack-Buffer-Overflow CVE-2021-TBA - TIM - Hall of Fame - Yes, with an RCE, you can achieve HTML injection

• Mattermost Server v5.32 > v5.36 Reflected XSS in OAuth flow CVE-2021-37859

• nfs_lookup_reply in Das U-Boot vulnerable to buffer overflow CVE-2022-30767 - (tnx @XenoKovah)

• Google Chrome - Insufficient policy enforcement in Developer Tools CVE-2022-3308

• Cisco BroadWorks CommPilot Application Software - Remote Code Execution CVE-2022-20958 with @TheZ3ro & @smaury

• Cisco BroadWorks CommPilot Application Software - Pre-auth Server-Side Request Forgery CVE-2022-20951

Remarkable events

• Meta - BountyConEDU - 2022
• Intel - Circuit Breaker - Trusted Crossing
• TumpiCon23 - committee

Work & Education

• Information Security Engineer @ Aptos Labs - End 2023 - Current

• Penetration Tester \ Security Research Engineer @ Shielder Srl - 2019 - End 2023

• Computer Systems and Networks Security Bachelor @ University of Milan - 2019 - Current

• Industrial Technical Institute Diploma - Computer Specialist

• JBZ Crew ;)

• Internship @ Shielder Srl - 2018

• External IT Consultant - 2018

• IT Consultant/Software Developer - 2017

PGP-key