Vulnerabilities and Media

Institut für Anwendungssicherheit
- Team
- News
- Publikationen
- Projekte
- Lehre
- Laptop-Leihe
- Kontakt
- Vulnerabilities and Media
- Open Source
- LegoLab

Vulnerabilities and Media

IAS in the Media

Some of out work has been featured by news outlets and media.

20.01.2026

Braunschweiger Zeitung: "Wie „1984“? Braunschweiger Forscher zeigt: So manipulierbar sind Web-Archive"

Braunschweiger Zeitung interviewed Robin on his research on the Security of Web Archives. (also on NDR,NDR Audio, TU-Magazin, idw, and regionalheute.de).

03.04.2025

T-Online.de: "Diese Tracking-Methode könnte Android-Nutzer ausspionieren"

Malte and his co-author's work on HyTrack was covered by t-online (also TU-Magazin and via MSN) and Malte gave a radio interview at Radio38

16.10.2025

The Register: "Vulnerability scores, huh, what are they good for? Almost nothing"

The Register covered our work on CVEs.

11.05.2023

German OWASP Day: "So erschleichen sich Apps die Daten ihrer verwirrten Nutzer"

heise.de covered the German OWASP Day 2023 with a special focus on Simon's privacy talk.

30.12.2022

Datenanfragen.de: "Rechtlich gegen Sammelwut vorgehen"

netzpolitik.org wrote about our mobile privacy research in collaboration with Datenanfragen.de e.V.

29.12.2018

Spiegel Online: "Wenn Sie surfen - und Kriminelle schürfen"

Marius has been interviewed on his research on Cryptojacking by Spiegel Online

Vulnerabilities

Several of our projects deal with questions on the security of software and consequently our research uncovers vulnerabilites, such as the ones listed below:

CVE-2022-36020: Typo3 HTML Sanitizer is vulnerable to XSS payloads enclosed in particular HTML comment combinations.
CVE-2022-23499: Typo3 HTML Sanitizer can be bypassed by embedding the payload in CDATA or by mutating out of RAWTEXT elements.
CVE-2023-23627: Ruby sanitize is affected by an mXSS vulnerability due to incorrectly parsing the noscript tag.
CVE-2023-38500: Typo3 HTML Sanitizer is affected by an mXSS vulnerability due to incorrectly parsing the noscript tag.
CVE-2023-43643: AntiSamy is affected by an mXSS vulnerability due to incorrectly parsing the noscript tag.
CVE-2023-51652: OWASP.AntiSamy is affected by an mXSS vulnerability due to incorrectly parsing the noscript tag.
CVE-2024-9392: Firefox is affected by a Site Isolation bypass vulnerability. A compromised renderer process could load documents from arbitrary sites.
CVE-2024-23635: AntiSamy is vulnerable to XSS payloads enclosed in malformed HTML comments.
2024: Student Ziad Alhajjar got rewarded a bug bounty from Google. He discovered a vulnerability in Android during his master thesis work. He bypassed the Android permission system, leaking privacy-sensitive data.

Furthermore, we have uncovered and reported security vulnerabilities in numerous open source projects, e.g., DOMPurify or Hotcrp.