Security Advisories

Within the scope of our activities we often happen to find vulnerabilities which have not been known yet. We contact the manufacturers to inform them about these vulnerabilities in order to allow them to implement a patch or a fix. The cooperation with the manufacturers varies, but is usually good. We have already dealt with the following manufacturers:

  1. Microsoft
  2. SAP
  3. Nortel
  4. Finjan
  5. Linux community
  6. OpenCMS
  7. Various small software manufacturers

pdf  Vulnerability Disclosure Policy

 

Date Subject Link
CSNC-2012-002 Cross-site Request Forgery based OS Command Execution   download
CSNC-2012-001 Privilege Escalation, Improper Access Control  download

2011-10-18

Oracle RDC Onsite XSS Vulnerability

 download
CVE-2011-1600
CVE-2011-1611

Grails Email Conf. plugin - Predictable Confirmation Token
Grails Email Conf. plugin - Case Insensitive Token Verif.

download
CVE-2011-1825
CVE-2011-1826
CA Arcot WebFort Versatile Authentication Server  download
CVE-2009-4505 OpenCMS OAMP Comments Module 1.0.0  
CVE-2009-1479 Camtasia Flash Vulnerability download
CVE-2009-1479 Boxalino Directory Traversal Vulnerability download
CVE-2009-1048 Authentication Bypass of Snom Phone Web Interface download
2009 Response Header Name Injection Attack  
CVE-2008-3358 SAP NetWeaver XSS Vulnerability download
CVE-2008-1547 MS OWA URL Redirection Vulnerability download
CVE-2008-0385 Urulu Web 2.0 SQL Injection
download
2008 OKI C5510MFP Printer Password Disclosure
CVE-2007-6340 LSrunasE, Supercrypt Weak Crypto
download
2007 VoIP Phone Audio Stream Rerouting Vulnerability download
2007 Nortel_IP_phone_flooding_denial_of_service download
2007 Nortel_IP_phone_forced_re-authentication download
2007 Nortel_IP_phone_surveillance_mode download
2007 Nortel_telephony_server_denial_of_service download
2007 Nortel_UNIStim_IP_softphone_buffer-overflow download
2007 DokuWiki XSS Vulnerability download
2007 SAP Internet Communication Framework (BC-MID-ICF) download
2007 SAP NetWeaver, Web Dynpro Java (BC-WD-JAV) download
CVE-2007-4018 Citrix - Redirection Vulnerability download
CVE-2007-0011 Citrix - Session Hijacking and Information Disclosure download
2007 Linux Kernel Buffer Overflow download
2006 Internet Explorer MS06-13 Vulnerability download
2004 OpenCMS Session Fixation  
2003 Finjan Content Bypass Vulnerability download

News

HTML5 Web Security
12/7/11 - HTML5 Security Research Report

Review BlackHat / Defcon 2011
11/8/11 - This year, as every year, two security analysts of Compass Security AG participated in the BlackHat and Defcon in Las Vegas.

Oracle RDC Onsite XSS Vulnerability
10/18/11 - Compass Security has found a vulnerability in ORACLE RDC ONSITE.

Course Schedule - New iPhone & iPad Hands-On course
10/6/11 - The new iPhone & iPad Compass course will be held in Switzerland for the first time

it-sa 2011: Compass Live-Hacking at IT-SA 2011 in Nürnberg
9/29/11 - Meet Compass at IT-SA Messestand in Halle 12, Stand 226. We will present Live-Hackign with newest iPhone and Mobile Devices.