CVEs from 2020
Total
3,803
critical
critical 206
high
high 563
medium
medium 744
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-5412 | unknown | — | — | 5y ago | Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix | |||
| CVE-2020-10687 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-10705 | unknown | — | — | 5y ago | Allocation of Resources Without Limits or Throttling in Undertow | |||
| CVE-2020-10719 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-26939 | unknown | — | — | 5y ago | Observable Differences in Behavior to Error Inputs in Bouncy Castle | |||
| CVE-2020-35217 | unknown | — | — | 5y ago | Cross-Site Request Forgery in Vert.x-Web framework | |||
| CVE-2020-9447 | unknown | — | — | 5y ago | Cross-site Scripting in GwtUpload | |||
| CVE-2020-13954 | unknown | — | — | 5y ago | Cross-site scripting in Apache CXF | |||
| CVE-2020-7744 | unknown | — | — | 5y ago | Remote Code Execution and download tracking in Mintegral SDK | |||
| CVE-2020-26945 | unknown | — | — | 5y ago | "Deserialization errors in MyBatis" | |||
| CVE-2020-13955 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Apache Calcite | |||
| CVE-2020-17510 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-36319 | unknown | — | — | 5y ago | Potential sensitive data exposure in applications using Vaadin 15 | |||
| CVE-2020-36321 | unknown | — | — | 5y ago | Directory traversal in development mode handler in Vaadin 14 and 15-17 | |||
| CVE-2020-36320 | unknown | — | — | 5y ago | Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7 | |||
| CVE-2020-8908 | unknown | — | — | 5y ago | Information Disclosure in Guava | |||
| CVE-2020-7014 | unknown | — | — | 5y ago | Privilege Escalation Flaw in Elasticsearch | |||
| CVE-2020-7020 | unknown | — | — | 5y ago | Privilege Context Switching Error in Elasticsearch | |||
| CVE-2020-13959 | unknown | — | — | 5y ago | Cross-site scripting (XSS) in Apache Velocity Tools | |||
| CVE-2020-27223 | unknown | — | — | 5y ago | DOS vulnerability for Quoted Quality CSV headers | |||
| CVE-2020-13697 | unknown | — | — | 5y ago | NanoHTTPD Cross-site Scripting vulnerability | |||
| CVE-2020-25649 | unknown | — | — | 5y ago | XML External Entity (XXE) Injection in Jackson Databind | |||
| CVE-2020-8570 | unknown | — | — | 5y ago | Path Traversal in the Java Kubernetes Client | |||
| CVE-2020-13922 | unknown | — | — | 6y ago | Incorrect Default Permissions in Apache DolphinScheduler | |||
| CVE-2020-26282 | unknown | — | — | 6y ago | Server-Side Template Injection | |||
| CVE-2020-26258 | unknown | — | — | 6y ago | Server-Side Forgery Request can be activated unmarshalling with XStream | |||
| CVE-2020-26259 | unknown | — | — | 6y ago | XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling | |||
| CVE-2020-35460 | unknown | — | — | 6y ago | MPXJ path Traversal vulnerability | |||
| CVE-2020-26274 | unknown | — | — | 6y ago | In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. | |||
| CVE-2020-26234 | unknown | — | — | 6y ago | Disabled Hostname Verification in Opencast | |||
| CVE-2020-27218 | unknown | — | — | 6y ago | Buffer not correctly recycled in Gzip Request inflation | |||
| CVE-2020-26245 | unknown | — | — | 6y ago | npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper poll… | |||
| CVE-2020-26238 | unknown | — | — | 6y ago | Template injection in cron-utils | |||
| CVE-2020-26237 | unknown | — | — | 6y ago | Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will … | |||
| CVE-2020-26217 | unknown | — | — | 6y ago | XStream can be used for Remote Code Execution | |||
| CVE-2020-27216 | unknown | — | — | 6y ago | Local Temp Directory Hijacking Vulnerability | |||
| CVE-2020-35922 | unknown | — | — | 6y ago | An issue was discovered in the mio crate before 0.7.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||
| CVE-2020-26300 | unknown | — | — | 6y ago | systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fix… | |||
| CVE-2020-7752 | unknown | — | — | 6y ago | This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execu… | |||
| CVE-2020-8929 | unknown | — | — | 6y ago | Ciphertext Malleability Issue in Tink Java | |||
| CVE-2020-15252 | unknown | — | — | 6y ago | RCE in XWiki | |||
| CVE-2020-15170 | unknown | — | — | 6y ago | Potential access control security issue in apollo-adminservice | |||
| CVE-2020-15171 | unknown | — | — | 6y ago | Users with SCRIPT right can execute arbitrary code in XWiki | |||
| CVE-2020-24660 | unknown | — | — | 6y ago | An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also af… | |||
| CVE-2020-15094 | unknown | — | — | 6y ago | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… | |||
| CVE-2020-12480 | unknown | — | — | 6y ago | CSRF in Play Framework | |||
| CVE-2020-5413 | unknown | — | — | 6y ago | Code execution in Spring Integration | |||
| CVE-2020-13921 | unknown | — | — | 6y ago | SQL Injection in Apache SkyWalking | |||
| CVE-2020-11994 | unknown | — | — | 6y ago | Server side template injection in Apache Camel | |||
| CVE-2020-1937 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13926 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13925 | unknown | — | — | 6y ago | Command Injection in Kylin | |||
| CVE-2020-15231 | unknown | — | — | 6y ago | XSS in Mapfish Print relating to JSONP support | |||
| CVE-2020-15232 | unknown | — | — | 6y ago | XXE attack in Mapfish Print | |||
| CVE-2020-15087 | unknown | — | — | 6y ago | Privilege escalation in Presto | |||
| CVE-2020-14061 | unknown | — | — | 6y ago | Deserialization of untrusted data in Jackson Databind | |||
| CVE-2020-14195 | unknown | — | — | 6y ago | Deserialization of untrusted data in Jackson Databind | |||
| CVE-2020-11612 | unknown | — | — | 6y ago | Denial of Service in Netty | |||
| CVE-2020-5408 | unknown | — | — | 6y ago | Insufficient Entropy in Spring Security | |||
| CVE-2020-7226 | unknown | — | — | 6y ago | Denial of Service in Cryptacular | |||
| CVE-2020-10683 | unknown | — | — | 6y ago | dom4j allows External Entities by default which might enable XXE attacks | |||
| CVE-2020-5407 | unknown | — | — | 6y ago | Signature wrapping vulnerability in Spring Security | |||
| CVE-2020-5405 | unknown | — | — | 6y ago | Directory traversal attack in Spring Cloud Config | |||
| CVE-2020-1963 | unknown | — | — | 6y ago | File system access via H2 in Apache Ignite | |||
| CVE-2020-11973 | unknown | — | — | 6y ago | Apache Camel Netty enables Java deserialization by default | |||
| CVE-2020-1941 | unknown | — | — | 6y ago | Apache ActiveMQ webconsole admin GUI is open to XSS | |||
| CVE-2020-5529 | unknown | — | — | 6y ago | Code execution vulnerability in HtmlUnit | |||
| CVE-2020-1953 | unknown | — | — | 6y ago | Remote code execution in Apache Commons Configuration | |||
| CVE-2020-10968 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11111 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-7647 | unknown | — | — | 6y ago | path traversal in Jooby | |||
| CVE-2020-11050 | unknown | — | — | 6y ago | Improper Validation of Certificate with Host Mismatch in Java-WebSocket | |||
| CVE-2020-1929 | unknown | — | — | 6y ago | Improper Certificate Validation in Apache Beam | |||
| CVE-2020-11009 | unknown | — | — | 6y ago | IDOR can reveal execution data and logs to unauthorized user in Rundeck | |||
| CVE-2020-10969 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11620 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11007 | unknown | — | — | 6y ago | Negative charge in shopping cart in Shopizer | |||
| CVE-2020-1728 | unknown | — | — | 6y ago | Improper Restriction of Rendered UI Layers or Frames in Keycloak | |||
| CVE-2020-1731 | unknown | — | — | 6y ago | Predictable password in Keycloak | |||
| CVE-2020-1697 | unknown | — | — | 6y ago | XSS in Keycloak | |||
| CVE-2020-10203 | unknown | — | — | 6y ago | Persistent Cross-Site scripting in Nexus Repository Manager | |||
| CVE-2020-10204 | unknown | — | — | 6y ago | Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager | |||
| CVE-2020-11002 | unknown | — | — | 6y ago | Remote Code Execution (RCE) vulnerability in dropwizard-validation | |||
| CVE-2020-7622 | unknown | — | — | 6y ago | Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting) | |||
| CVE-2020-5497 | unknown | — | — | 6y ago | XSS in MITREid Connect | |||
| CVE-2020-7611 | unknown | — | — | 6y ago | Micronaut's HTTP client is vulnerable to HTTP Request Header Injection | |||
| CVE-2020-5289 | unknown | — | — | 6y ago | Read permissions not enforced for client provided filter expressions in Elide. | |||
| CVE-2020-5275 | unknown | — | — | 6y ago | In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides … | |||
| CVE-2020-5274 | unknown | — | — | 6y ago | In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even … | |||
| CVE-2020-5255 | unknown | — | — | 6y ago | In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r… | |||
| CVE-2020-5280 | unknown | — | — | 6y ago | Local file inclusion vulnerability in http4s | |||
| CVE-2020-6858 | unknown | — | — | 6y ago | HTTP Response Splitting in Styx | |||
| CVE-2020-5245 | unknown | — | — | 6y ago | Remote Code Execution (RCE) vulnerability in dropwizard-validation | |||
| CVE-2020-7238 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2020-1925 | unknown | — | — | 6y ago | Server-Side Request Forgery (SSRF) in Apache Olingo | |||
| CVE-2020-5228 | unknown | — | — | 6y ago | Unauthenticated Access Via OAI-PMH | |||
| CVE-2020-5229 | unknown | — | — | 6y ago | Password Hashing: Do not use MD5 | |||
| CVE-2020-5230 | unknown | — | — | 6y ago | Unsafe Identifiers in Opencast | |||
| CVE-2020-5222 | unknown | — | — | 6y ago | Hard-Coded Key Used For Remember-me Token in Opencast | |||
| CVE-2020-5231 | unknown | — | — | 6y ago | Users with ROLE_COURSE_ADMIN can create new users in Opencast |