Public talks
- To the Upside Down and back: Destapando CVEs en aplicaciones Android desde dos mundos @ Navaja Negra X Edition (in Spanish)
- Find vulnerable Kotlin apps while testing CodeQL @ GitHub Universe 2022
- Security as Code: A DevSecOps Approach @ SpringOne 2021
Advisories
- CVE-2024-31450 (Arbitrary file deletion in Owncast)
- CVE-2024-29031 (SQL Injection in Meshery)
- CVE-2023-41898 (Arbitrary URL load in Android WebView in Home Assistant Companion for Android)
- CVE-2023-45146 (Unsafe deserialization in XXL-RPC)
- CVE-2023-42809 (Unsafe deserialization in Redisson)
- CVE-2023-41937 (SSRF in Bitbucket Push and Pull Request Jenkins Plugin)
- CVE-2023-37960 (Arbitrary File Exfiltration in Jenkins MathWorks Polyspace Plugin)
- CVE-2023-37942 (XML external entity (XXE) in Jenkins External Monitor Job Plugin)
- CVE-2023-37471 (SAML signature validation bypass in OpenAM)
- CVE-2023-36480 (Unsafe Deserialization in Aerospike Java client)
- CVE-2023-35947 (Arbitrary File Read/Write during TAR extraction in Gradle)
- CVE-2023-35147 (Unauthenticated arbitrary file read in AWS CodeCommit Trigger Jenkins Plugin)
- CVE-2023-33188 (Insufficient Path Validation in Omni-Notes Android App)
- CVE-2023-32991, CVE-2023-32992 (XML external entity (XXE) or server-side request forgery (SSRF) in SAML SSO Jenkins Plugin)
- CVE-2023-32986 (Arbitrary file write in the File Parameters Jenkins Plugin)
- CVE-2023-32985 (Information disclosure in the Sidebar Link Plug-in for Jenkins)
- CVE-2023-32981 (ZipSlip in Jenkins Pipeline Utility Steps Plugin)
- CVE-2023-24804 (Insufficient path validation in ownCloud Android app)
- CVE-2023-23948 (SQL Injection in ownCloud Android app)
- CVE-2022-39349 (Arbitrary File Read in Tasks.org Android app)
- GHSL-2022-046 (Intent URI permissions manipulation in WordPress for Android)
- GHSL-2022-024 (Regular Expression Denial of Service (ReDoS) in the Azure SDK for Java)
- GHSL-2022-023 (Regular Expression Denial of Service (ReDoS) in Apache Ignite)
- CVE-2022-31781 (Regular Expression Denial of Service (ReDoS) in Apache Tapestry)
- CVE-2022-30126, CVE-2022-33879 (Regular Expression Denial of Service (ReDoS) in Apache Tika)
- CVE-2022-29158 (Regular Expression Denial of Service (ReDoS) in Apache OFBiz
- GHSL-2021-1054 and GHSL-2021-1055 (Unsafe Deserialization in Log4j2 2.15.0)
- CVE-2021-43863 (SQL Injection in
FileContentProvider
in Nextcloud for Android) - CVE-2021-41256 (Intent URI permissions manipulation in Nextcloud News for Android)
- CVE-2021-41166 (Permission bypass in
DiskLruImageCacheFileProvider
in Nextcloud for Android) - CVE-2021-32651 (LDAP injection in OneDev)
- CVE-2021-30005 (Local Code Execution in PyCharm)