Security Advisories

Within the scope of our activities we often happen to find vulnerabilities which have not been known yet. We contact the manufacturers to inform them about these vulnerabilities in order to allow them to implement a patch or a fix. The cooperation with the manufacturers varies, but is usually good. We have already dealt with the following manufacturers:

  1. Microsoft
  2. SAP
  3. Nortel
  4. Finjan
  5. Linux community
  6. OpenCMS
  7. Various small software manufacturers

pdf  Vulnerability Disclosure Policy

 

Date Subject Link
CSNC-2014-004 neutroML multiple-vulns download
CSNC-2013-018 SAP BusinessObjects Explorer_XXE download
CSNC-2013-017 SAP BusinessObjects Explorer Cross-Site-Flashing download
CSNC-2013-016 SAP BusinessObjects Explorer Port-Scanning download
CSNC-2014-001 Java-Mail - SMTP Header Injection via method setSubject download
CVE-2014-1597 i-doit - SQL Injection download
CVE-2014-1237 i-doit - Cross-Site Scripting (XSS) download
CSNC-2013-013 Plone CMS - URL Redirection Vulnerability download
CSNC-2013-008 Secure Entry Server (SES) - URL Redirection download
CSNC-2013-005-006-007 Leed (Light Feed) - Multiple vulnerabilities download 
CVE-2013-5966 ZK Framework - Cross-Site Scripting Vulnerability (XSS) download
CSNC-2013-011 Endpoint Protector Virtual Appliance - Cross-Site Scripting Vulnerability (XSS) download
CSNC-2013-022 OpenDocMan Document Management Systems - Open URL Redirection download
CSNC-2013-021 VirtueMart eCommerce Solution - Cross-Site Scripting Vulnerability (XSS) download
CSNC-2013-020 iCagenda - Cross-Site Scripting Vulnerability (XSS) download
CSNC-2013-012 All Video Share (Joomla Extension) – SQL Injection Vulnerability download
CSNC-2012-019 All Video Share (Joomla Extension) – XSS Vulnerability download
CSNC-2012-018 All Video Share (Joomla Extension) – Remote File Execution download
CSNC-2013-010 ohanah (Joomla Extension) – Multiple XSS Vulnerabilities download
CSNC-2013-009 ohanah (Joomla Extension) – Authorization Bypass download
CSNC-2012-015 Projectfork (Joomla Extension) – SQL Injection Vulnerability download
CSNC-2012-024 Real Estate Manager (Joomla Extension) - SQL Injection Vulnerability  download
CSNC-2012-023 Real Estate Manager (Joomla Extension) - Multiple Cross-Site-Scripting Vulnerabilities  download
CSNC-2012-022 jNews Core (Joomla Extension) - Multiple XSS Vulnerabilities download
CSNC-2012-021 HikaShop (Joomla Extension) - Cross-Site-Scripting Vulnerability  download
CSNC-2012-020 HikaShop (Joomla Extension) - Redirection Vulnerability  download
CNSC-2012-017 ALFContact (Joomla Extension) - Cross-Site-Scripting Vulnerability download
CSNC-2012-016 Remository (Joomla Extension) - Cross-Site-Scripting Vulnerability download
CSNC-2012-014 K2 (Joomla Extension) - Cross-Site-Scripting Vulnerability  download
CSNC-2012-013 jDownloads (Joomla Extension) - Multiple Cross-Site-Scripting Vulnerabilities download
CSNC-2012-012 FLEXIcontent (Joomla Extension) - SQL Injection Vulnerability download
CSNC-2012-011 FLEXIcontent (Joomla Extension) - URL Redirection Vulnerability download
CSNC-2012-010 AcyMailing (Joomla Extension) - Redirection Vulnerability download
 1784770 SAP Business Objects Enterprise XI - Multiple Cross-Site Scripting Vulnerabilities download
CSNC-2012-026 Cross-Site-Scripting vulnerability in the SilverStripe blog module identified. download
CSNC-2012-025 Multiple Cross-Site-Scripting vulnerabilities in the SilverStripe CMS identified.  download
CVE-2013-1413 Multiple vulnerabilities identified in "i-doit" CMDB web application download
CSNC-2013-002 Drupal Module CurvyCorners - eine Cross-Site-Scripting Vulnerability download
CSNC-2013-001 iTop Web-Applikation - Vulnerability  
CSNC-2012-009 php File Manager - Unrestricted File Download (Authorization / Authentication Bypass)  
CSNC-2012-008 php File Manager - Backdoor Account  download
CSNC-2011-001 SAP eShop clientside denial of service download
CSNC-2012-004 Cross-site scripting (XSS) within 302 Redirections  
CSNC-2012-002 Cross-site Request Forgery based OS Command Execution   download
CSNC-2012-001 Privilege Escalation, Improper Access Control  download

2011-10-18

Oracle RDC Onsite XSS Vulnerability

 download
CVE-2011-1600
CVE-2011-1611

Grails Email Conf. plugin - Predictable Confirmation Token
Grails Email Conf. plugin - Case Insensitive Token Verif.

download
CVE-2011-1825
CVE-2011-1826
CA Arcot WebFort Versatile Authentication Server  download
CVE-2009-4505 OpenCMS OAMP Comments Module 1.0.0  
CVE-2009-1479 Camtasia Flash Vulnerability download
CVE-2009-1479 Boxalino Directory Traversal Vulnerability download
CVE-2009-1048 Authentication Bypass of Snom Phone Web Interface download
2009 Response Header Name Injection Attack  
CVE-2008-3358 SAP NetWeaver XSS Vulnerability download
CVE-2008-1547 MS OWA URL Redirection Vulnerability download
CVE-2008-0385 Urulu Web 2.0 SQL Injection
download
2008 OKI C5510MFP Printer Password Disclosure
CVE-2007-6340 LSrunasE, Supercrypt Weak Crypto
download
2007 VoIP Phone Audio Stream Rerouting Vulnerability download
2007 Nortel_IP_phone_flooding_denial_of_service download
2007 Nortel_IP_phone_forced_re-authentication download
2007 Nortel_IP_phone_surveillance_mode download
2007 Nortel_telephony_server_denial_of_service download
2007 Nortel_UNIStim_IP_softphone_buffer-overflow download
2007 DokuWiki XSS Vulnerability download
2007 SAP Internet Communication Framework (BC-MID-ICF) download
2007 SAP NetWeaver, Web Dynpro Java (BC-WD-JAV) download
CVE-2007-4018 Citrix - Redirection Vulnerability download
CVE-2007-0011 Citrix - Session Hijacking and Information Disclosure download
2007 Linux Kernel Buffer Overflow download
2006 Internet Explorer MS06-13 Vulnerability download
2004 OpenCMS Session Fixation  
2003 Finjan Content Bypass Vulnerability download

News

Vulnerabilities in neutroML and SAP BusinessObjects Explorer
10/10/14 - Alexandre Herzog identified vulnerabilities in neutroML and SAP BusinessObjects Explorer.

Compass attend the iSSE in Brussel
10/10/14 - Founded in 1999 as an initiative of the European Commission Directorate General Information Society, ISSE is Europe’s only independent, interdisciplinary security conference and exhibition.

Compass am CFO-Forum
9/22/14 - 11. Handelszeitung Jahrestagung

Compass Security Schweiz AG bezieht neue Büroräumlichkeiten in Bern
6/19/14 - Neues Zuhause im Länggass-Quartier

Vulnerability in JavaMail
5/22/14 - Alexandre Herzog identified vulnerability in JavaMail.