CVEs from 2020
Total
3,797
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-15647 | unknown | — | — | — | A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins. This… | |||
| CVE-2020-6554 | unknown | — | — | — | Use after free in extensions in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension. | |||
| CVE-2020-6553 | unknown | — | — | — | Use after free in offline mode in Google Chrome on iOS prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-22284 | unknown | — | — | — | A buffer overflow vulnerability in the zepif_linkoutput() function of Free Software Foundation lwIP git head version and version 2.1.2 allows attackers to access sensitive information via a crafted 6… | |||
| CVE-2020-6453 | unknown | — | — | — | Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-29663 | unknown | — | — | — | Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.… | |||
| CVE-2020-14004 | unknown | — | — | — | An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an u… | |||
| CVE-2020-27507 | unknown | — | — | — | The Kamailio SIP before 5.5.0 server mishandles INVITE requests with duplicated fields and overlength tag, leading to a buffer overflow that crashes the server or possibly have unspecified other impa… | |||
| CVE-2020-14392 | unknown | — | — | — | An untrusted pointer dereference flaw was found in Perl-DBI < 1.643. A local attacker who is able to manipulate calls to dbd_db_login6_sv() could cause memory corruption, affecting the service's avai… | |||
| CVE-2020-14415 | unknown | — | — | — | oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. | |||
| CVE-2020-13659 | unknown | — | — | — | address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. | |||
| CVE-2020-35269 | unknown | — | — | — | Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross-Site Request Forgery (CSRF) in many functions, like adding – deleting for hosts or servers. | |||
| CVE-2020-14402 | unknown | — | — | — | An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.c allows out-of-bounds access via encodings. | |||
| CVE-2020-18839 | unknown | — | — | — | Buffer Overflow vulnerability in HtmlOutputDev::page in poppler 0.75.0 allows attackers to cause a denial of service. | |||
| CVE-2020-15900 | unknown | — | — | — | A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'po… | |||
| CVE-2020-25678 | unknown | — | — | — | A flaw was found in ceph in versions prior to 16.y.z where ceph stores mgr module passwords in clear text. This can be found by searching the mgr logs for grafana and dashboard, with passwords visibl… | |||
| CVE-2020-6498 | unknown | — | — | — | Incorrect implementation in user interface in Google Chrome on iOS prior to 83.0.4103.88 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2020-6499 | unknown | — | — | — | Inappropriate implementation in AppCache in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass AppCache security restrictions via a crafted HTML page. | |||
| CVE-2020-6377 | unknown | — | — | — | Use after free in audio in Google Chrome prior to 79.0.3945.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-15994 | unknown | — | — | — | Use after free in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-13614 | unknown | — | — | — | An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification. | |||
| CVE-2020-27781 | unknown | — | — | — | User credentials can be manipulated and stolen by Native CephFS consumers of OpenStack Manila, resulting in potential privilege escalation. An Open Stack Manila user can request access to a share to … | |||
| CVE-2020-6539 | unknown | — | — | — | Use after free in CSS in Google Chrome prior to 84.0.4147.105 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-12388 | unknown | — | — | — | The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerab… | |||
| CVE-2020-36843 | unknown | — | — | 1y ago | Ed25519 Signature Malleability in ed25519-java Due to Missing Scalar Range Check | |||
| CVE-2020-27534 | unknown | — | — | 2y ago | util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.T… | |||
| CVE-2020-15136 | unknown | — | — | 2y ago | In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on e… | |||
| CVE-2020-15114 | unknown | — | — | 2y ago | In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoin… | |||
| CVE-2020-15113 | unknown | — | — | 2y ago | In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS con… | |||
| CVE-2020-24922 | unknown | — | — | 3y ago | xuxueli xxl-job Cross-Site Request Forgery Vulnerability | |||
| CVE-2020-21485 | unknown | — | — | 3y ago | Alluxio Cross Site Scripting vulnerability | |||
| CVE-2020-22755 | unknown | — | — | 3y ago | MCMS vulnerable to arbitrary code execution via crafted thumbnail | |||
| CVE-2020-20913 | unknown | — | — | 3y ago | Ming-Soft MCMS vulnerable to SQL injection | |||
| CVE-2020-36640 | unknown | — | — | 4y ago | bonita-connector-webservice XML External Entity vulnerability | |||
| CVE-2020-36641 | unknown | — | — | 4y ago | aXMLRPC XML External Entity vulnerability | |||
| CVE-2020-15115 | unknown | — | — | 4y ago | etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess … | |||
| CVE-2020-15112 | unknown | — | — | 4y ago | In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are b… | |||
| CVE-2020-15106 | unknown | — | — | 4y ago | In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on … | |||
| CVE-2020-23622 | unknown | — | — | 4y ago | 4thline cling uPnP protocol issue can lead to denial of service | |||
| CVE-2020-7677 | unknown | — | — | 4y ago | thenify before 3.3.1 made use of unsafe calls to `eval`. | |||
| CVE-2020-28191 | unknown | — | — | 4y ago | Togglz console missing cross-site request forgery (CSRF) protection | |||
| CVE-2020-10650 | unknown | — | — | 4y ago | jackson-databind vulnerable to unsafe deserialization | |||
| CVE-2020-28865 | unknown | — | — | 4y ago | Insufficiently Protected Credentials in PowerJob | |||
| CVE-2020-28088 | unknown | — | — | 4y ago | Jeecg-Boot CMS arbitrary file upload vulnerability | |||
| CVE-2020-7021 | unknown | — | — | 4y ago | Insertion of Sensitive Information into Log File in Elasticsearch | |||
| CVE-2020-29582 | unknown | — | — | 4y ago | Incorrect Default Permissions in JetBrains Kotlin | |||
| CVE-2020-25476 | unknown | — | — | 4y ago | Liferay Portal Vulnerable to Cross-Site Scripting (XSS) via User Name Parameter | |||
| CVE-2020-8920 | unknown | — | — | 4y ago | Information leak in Gerrit | |||
| CVE-2020-16971 | unknown | — | — | 4y ago | Azure SDK for Java Security Feature Bypass Vulnerability | |||
| CVE-2020-27822 | unknown | — | — | 4y ago | Wildfly has a memory leak vulnerability | |||
| CVE-2020-2324 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins CVS Plugin | |||
| CVE-2020-2320 | unknown | — | — | 4y ago | Jenkins Plugin Installation Manager Tool did not verify plugin downloads | |||
| CVE-2020-2323 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Chaos Monkey Plugin | |||
| CVE-2020-2322 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Chaos Monkey Plugin | |||
| CVE-2020-2321 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Shelve Project Plugin | |||
| CVE-2020-2318 | unknown | — | — | 4y ago | Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin | |||
| CVE-2020-2319 | unknown | — | — | 4y ago | Password stored in plain text by Jenkins VMware Lab Manager Slaves Plugin | |||
| CVE-2020-2313 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Azure Key Vault Plugin allow enumerating credentials IDs | |||
| CVE-2020-2309 | unknown | — | — | 4y ago | Missing authorization in Jenkins Kubernetes Plugin | |||
| CVE-2020-2311 | unknown | — | — | 4y ago | Missing permission check in Jenkins AWS Global Configuration Plugin allows replacing plugin configuration | |||
| CVE-2020-2314 | unknown | — | — | 4y ago | Password stored in plain text by Jenkins AppSpider Plugin | |||
| CVE-2020-2315 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Visualworks Store Plugin | |||
| CVE-2020-2316 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Static Analysis Utilities Plugin | |||
| CVE-2020-2310 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Ansible Plugin allow enumerating credentials IDs | |||
| CVE-2020-2312 | unknown | — | — | 4y ago | Password written to the build log by Jenkins SQLPlus Script Runner Plugin | |||
| CVE-2020-2308 | unknown | — | — | 4y ago | Missing Authorization in Jenkins Kubernetes Plugin | |||
| CVE-2020-2305 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Mercurial Plugin | |||
| CVE-2020-2301 | unknown | — | — | 4y ago | Authentication cache in Active Directory Jenkins Plugin allows logging in with any password | |||
| CVE-2020-2300 | unknown | — | — | 4y ago | Improper Authentication (empty password) in Jenkins Active Directory Plugin | |||
| CVE-2020-2303 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Active Directory Plugin | |||
| CVE-2020-2299 | unknown | — | — | 4y ago | Improper Authentication in Jenkins Active Directory Plugin | |||
| CVE-2020-2306 | unknown | — | — | 4y ago | Missing Authorization in Jenkins Mercurial Plugin | |||
| CVE-2020-2302 | unknown | — | — | 4y ago | Missing permission check in Jenkins Active Directory Plugin allows accessing domain health check page | |||
| CVE-2020-2307 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Jenkins Kubernetes Plugin | |||
| CVE-2020-2304 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Subversion Plugin | |||
| CVE-2020-25689 | unknown | — | — | 4y ago | Uncontrolled Resource Consumption in WildFly | |||
| CVE-2020-10721 | unknown | — | — | 4y ago | fabric8-maven-plugin: insecure way to construct Yaml Object leading to remote code execution | |||
| CVE-2020-2294 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Maven Cascade Release Plugin | |||
| CVE-2020-2295 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Maven Cascade Release Plugin | |||
| CVE-2020-2298 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Nerrvana Plugin | |||
| CVE-2020-2297 | unknown | — | — | 4y ago | Access token stored in plain text by Jenkins SMS Notification Plugin | |||
| CVE-2020-2290 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Active Choices Plugin | |||
| CVE-2020-2289 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Active Choices Plugin | |||
| CVE-2020-2293 | unknown | — | — | 4y ago | Arbitrary file read vulnerability in Jenkins Persona Plugin | |||
| CVE-2020-2292 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Release Plugin | |||
| CVE-2020-2291 | unknown | — | — | 4y ago | Password stored in plain text by Jenkins couchdb-statistics Plugin | |||
| CVE-2020-2296 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Shared Objects Plugin | |||
| CVE-2020-2288 | unknown | — | — | 4y ago | Incorrect default pattern in Jenkins Audit Trail Plugin | |||
| CVE-2020-25644 | unknown | — | — | 4y ago | Wildfly-OpenSSL memory leak flaw | |||
| CVE-2020-15840 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Bypass via Double Encoded URL | |||
| CVE-2020-2282 | unknown | — | — | 4y ago | Missing permission check in Jenkins Implied Labels Plugin allows reconfiguring the plugin | |||
| CVE-2020-2283 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Liquibase Runner Plugin | |||
| CVE-2020-2285 | unknown | — | — | 4y ago | Missing permission check in Jenkins Liquibase Runner Plugin allows enumerating credentials IDs | |||
| CVE-2020-2284 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Liquibase Runner Plugin | |||
| CVE-2020-2280 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins warnings Plugin allows remote code execution | |||
| CVE-2020-2279 | unknown | — | — | 4y ago | Sandbox bypass vulnerability in Jenkins Script Security Plugin | |||
| CVE-2020-2281 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Lockable Resources Plugin | |||
| CVE-2020-2274 | unknown | — | — | 4y ago | Passwords stored in plain text by ElasTest Plugin | |||
| CVE-2020-2272 | unknown | — | — | 4y ago | Missing permission checks in Jenkins ElasTest Plugin | |||
| CVE-2020-2278 | unknown | — | — | 4y ago | Arbitrary file write vulnerability in Jenkins Storable Configs Plugin |