Maggioli Appalti Contratti
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Maggioli Appalti Contratti.
By the Year
In 2026 there have been 0 vulnerabilities in Maggioli Appalti Contratti. Appalti Contratti did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 5 | 7.74 |
It may take a day or so for new Appalti Contratti vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Maggioli Appalti Contratti Security Vulnerabilities
Appalti & Contratti 9.12.2: Session Fixation via JSESSIONID
CVE-2022-44788
6.5 - Medium
- November 21, 2022
An issue was discovered in Appalti & Contratti 9.12.2. It allows Session Fixation. When a user logs in providing a JSESSIONID cookie that is issued by the server at the first visit, the cookie value is not updated after a successful login.
Session Fixation
Appalti & Contratti 9.12.2 Reflected XSS via idPagina
CVE-2022-44787
6.1 - Medium
- November 21, 2022
An issue was discovered in Appalti & Contratti 9.12.2. The web applications are vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the victim moves the mouse pointer inside the page. As an example, the onmouseenter attribute is not sanitized.
XSS
Appalti & Contratti 9.12.2 LFI via href param
CVE-2022-44786
7.5 - High
- November 21, 2022
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications allow Local File Inclusion in any page relying on the href parameter to specify the JSP page to be rendered. This affects ApriPagina.do POST and GET requests to each application.
SQLi in Appalti & Contratti 9.12.2 (GetListaEnti.do)
CVE-2022-44785
9.8 - Critical
- November 21, 2022
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications are subject to multiple SQL Injection vulnerabilities, some of which executable even by unauthenticated users, as demonstrated by the GetListaEnti.do cfamm parameter.
SQL Injection
Axis1.4 AdminService SSRF in Appalti&Contratti 9.12.2
CVE-2022-44784
8.8 - High
- November 21, 2022
An issue was discovered in Appalti & Contratti 9.12.2. The target web applications LFS and DL229 expose a set of services provided by the Axis 1.4 instance, embedded directly into the applications, as hinted by the WEB-INF/web.xml file leaked through Local File Inclusion. Among the exposed services, there is the Axis AdminService, which, through the default configuration, should normally be accessible only by the localhost. Nevertheless, by trying to access the mentioned service, both in LFS and DL229, the service can actually be reached even by remote users, allowing creation of arbitrary services on the server side. When an attacker can reach the AdminService, they can use it to instantiate arbitrary services on the server. The exploit procedure is well known and described in Generic AXIS-SSRF exploitation. Basically, the attack consists of writing a JSP page inside the root directory of the web application, through the org.apache.axis.handlers.LogHandler class.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Maggioli Appalti Contratti or by Maggioli? Click the Watch button to subscribe.
