CVEs from 2020
Total
3,809
critical
critical 206
high
high 563
medium
medium 743
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-7595 | medium | — | 5.5 | 6y ago | RHSA-2020:4479: libxml2 security update (Moderate) | |||
| CVE-2020-7471 | medium | — | 5.5 | 6y ago | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data … | |||
| CVE-2020-37241 | medium | 5.3 | 5.3 | 20d ago | bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can… | |||
| CVE-2020-8927 | medium | 5.3 | 5.3 | 5y ago | RHSA-2022:0830: .NET 5.0 security and bugfix update (Important) | |||
| CVE-2020-26146 | medium | 5.3 | 5.3 | 5y ago | An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfi… | |||
| CVE-2020-27283 | medium | 5.3 | 5.3 | 6y ago | An attacker could send a specially crafted message to Crimson 3.1 (Build versions prior to 3119.001) that could leak arbitrary memory locations. | |||
| CVE-2020-7549 | medium | 5.3 | 5.3 | 6y ago | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication … | |||
| CVE-2020-29372 | medium | 4.7 | 4.7 | 6y ago | An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1… | |||
| CVE-2020-37217 | medium | 4.3 | 4.3 | 23d ago | Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attack… | |||
| CVE-2020-7568 | medium | 4.3 | 4.3 | 6y ago | A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon M221 (all references, all versions) that could allow non sensitive information disclosure when th… | |||
| CVE-2020-8166 | medium | 4.3 | 4.3 | 6y ago | Ability to forge per-form CSRF tokens in Rails | |||
| CVE-2020-8561 | medium | 4.1 | 4.1 | 5y ago | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver re… | |||
| CVE-2020-9488 | low | 3.7 | 3.7 | 6y ago | Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log mess… | |||
| CVE-2020-7656 | low | — | 3.5 | 6y ago | RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) | |||
| CVE-2020-9359 | low | — | 2.5 | — | KDE Okular before 1.10.0 allows code execution via an action link in a PDF document. | |||
| CVE-2020-14196 | low | — | 2.5 | — | In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. | |||
| CVE-2020-24825 | low | — | 2.5 | — | A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-24826 | low | — | 2.5 | — | A vulnerability in the elf::section::as_strtab function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-18773 | low | — | 2.5 | — | An invalid memory access in the decode function in iptc.cpp of Exiv2 0.27.99.0 allows attackers to cause a denial of service (DOS) via a crafted tif file. | |||
| CVE-2020-27673 | low | — | 2.5 | — | An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e995… | |||
| CVE-2020-24822 | low | — | 2.5 | — | A vulnerability in the dwarf::cursor::uleb function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-22024 | low | — | 2.5 | — | Buffer Overflow vulnerability in FFmpeg 4.2 at the lagfun_frame16 function in libavfilter/vf_lagfun.c, which could let a remote malicious user cause Denial of Service. | |||
| CVE-2020-22026 | low | — | 2.5 | — | Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service. | |||
| CVE-2020-35450 | low | — | 2.5 | — | Gobby 0.4.11 allows a NULL pointer dereference in the D-Bus handler for certain set_language calls. | |||
| CVE-2020-18774 | low | — | 2.5 | — | A float point exception in the printLong function in tags_int.cpp of Exiv2 0.27.99.0 allows attackers to cause a denial of service (DOS) via a crafted tif file. | |||
| CVE-2020-18974 | low | — | 2.5 | — | Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers to cause a denial of service via 'crc64i' in the component 'nasmlib/crc64'. This issue is different than CVE-2019-7147. | |||
| CVE-2020-11867 | low | — | 2.5 | — | Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and… | |||
| CVE-2020-24824 | low | — | 2.5 | — | A global buffer overflow issue in the dwarf::line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS). | |||
| CVE-2020-29562 | low | — | 2.5 | — | The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, … | |||
| CVE-2020-25691 | low | — | 2.5 | — | denial of service in darkhttpd | |||
| CVE-2020-25639 | low | — | 2.5 | — | A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This fl… | |||
| CVE-2020-35501 | low | — | 2.5 | — | A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem | |||
| CVE-2020-24823 | low | — | 2.5 | — | A vulnerability in the dwarf::to_string function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-20448 | low | — | 2.5 | — | FFmpeg 4.1.3 is affected by a Divide By Zero issue via libavcodec/ratecontrol.c, which allows a remote malicious user to cause a Denial of Service. | |||
| CVE-2020-24821 | low | — | 2.5 | — | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-35112 | low | — | 2.5 | — | If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an … | |||
| CVE-2020-27675 | low | — | 2.5 | — | An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condit… | |||
| CVE-2020-24827 | low | — | 2.5 | — | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-15466 | low | — | 2.5 | — | In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gvcp.c by ensuring that an offset increases in all situations. | |||
| CVE-2020-27837 | low | — | 2.5 | — | A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessin… | |||
| CVE-2020-12823 | low | — | 2.5 | — | OpenConnect 8.09 has a buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c. | |||
| CVE-2020-12755 | low | — | 2.5 | — | fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended… | |||
| CVE-2020-22028 | low | — | 2.5 | — | Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. | |||
| CVE-2020-28030 | low | — | 2.5 | — | In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was addressed in epan/dissectors/packet-gquic.c by correcting the implementation of offset advancement. | |||
| CVE-2020-16121 | low | — | 2.5 | — | PackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own. | |||
| CVE-2020-24363 | unknown | — | 2.5 | 9mo ago | TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST … | |||
| CVE-2020-2883 | unknown | — | 2.5 | 1y ago | Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3. | |||
| CVE-2020-0618 | unknown | — | 2.5 | 2y ago | Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in t… | |||
| CVE-2020-21710 | low | — | 2.5 | 2y ago | RHSA-2024:2966: ghostscript security update (Low) | |||
| CVE-2020-5741 | unknown | — | 2.5 | 3y ago | Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload featur… | |||
| CVE-2020-23903 | low | — | 2.5 | 4y ago | Low: speex security update | |||
| CVE-2020-3433 | unknown | — | 2.5 | 4y ago | Cisco AnyConnect Secure Mobility Client for Windows interprocess communication (IPC) channel allows for insufficient validation of resources that are loaded by the application at run time. An attacke… | |||
| CVE-2020-3153 | unknown | — | 2.5 | 4y ago | Cisco AnyConnect Secure Mobility Client for Windows allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary … | |||
| CVE-2020-9934 | unknown | — | 2.5 | 4y ago | Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information. | |||
| CVE-2020-0601 | unknown | — | 2.5 | 4y ago | Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by usin… | |||
| CVE-2020-3837 | unknown | — | 2.5 | 4y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-13950 | low | — | 2.5 | 4y ago | Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, le… | |||
| CVE-2020-22083 | low | — | 2.5 | 4y ago | ** DISPUTED ** jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and cl… | |||
| CVE-2020-16846 | unknown | — | 2.5 | 4y ago | SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users runnin… | |||
| CVE-2020-11651 | unknown | — | 2.5 | 4y ago | SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some m… | |||
| CVE-2020-11652 | unknown | — | 2.5 | 4y ago | SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security … | |||
| CVE-2020-7961 | unknown | — | 2.5 | 4y ago | Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services. | |||
| CVE-2020-17489 | low | — | 2.5 | 4y ago | RHSA-2022:1814: gnome-shell security and bug fix update (Low) | |||
| CVE-2020-25223 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. | |||
| CVE-2020-0796 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerabili… | |||
| CVE-2020-17530 | unknown | — | 2.5 | 4y ago | Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution. | |||
| CVE-2020-5722 | unknown | — | 2.5 | 4y ago | Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root. | |||
| CVE-2020-0787 | unknown | — | 2.5 | 4y ago | Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-l… | |||
| CVE-2020-14864 | unknown | — | 2.5 | 4y ago | Path traversal vulnerability, where an attacker can target the preview FilePath parameter of the getPreviewImage function to get access to arbitrary system file. | |||
| CVE-2020-8816 | unknown | — | 2.5 | 5y ago | Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. | |||
| CVE-2020-24370 | low | — | 2.5 | 5y ago | RHSA-2021:4510: lua security update (Low) | |||
| CVE-2020-16135 | low | — | 2.5 | 5y ago | RHSA-2021:4387: libssh security update (Low) | |||
| CVE-2020-14155 | low | — | 2.5 | 5y ago | RHSA-2021:4373: pcre security update (Low) | |||
| CVE-2020-18442 | low | — | 2.5 | 5y ago | RHSA-2021:4316: zziplib security update (Low) | |||
| CVE-2020-8037 | low | — | 2.5 | 5y ago | RHSA-2021:4236: tcpdump security and bug fix update (Low) | |||
| CVE-2020-36314 | low | — | 2.5 | 5y ago | RHSA-2021:4179: file-roller security update (Low) | |||
| CVE-2020-13987 | low | — | 2.5 | 5y ago | RHBA-2021:4446: iscsi-initiator-utils bug fix and enhancement update (Low) | |||
| CVE-2020-8644 | unknown | — | 2.5 | 5y ago | PlaySMS contains a server-side template injection vulnerability that allows for remote code execution. | |||
| CVE-2020-6207 | unknown | — | 2.5 | 5y ago | SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution M… | |||
| CVE-2020-3161 | unknown | — | 2.5 | 5y ago | Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (… | |||
| CVE-2020-3950 | unknown | — | 2.5 | 5y ago | VMware Fusion, Remote Console (VMRC) for Mac, and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries that allows attackers to escalate privileg… | |||
| CVE-2020-6287 | unknown | — | 2.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create adminis… | |||
| CVE-2020-5735 | unknown | — | 2.5 | 5y ago | Amcrest cameras and NVR contain a stack-based buffer overflow vulnerability through port 37777 that allows an unauthenticated, remote attacker to crash the device and possibly execute code. | |||
| CVE-2020-10221 | unknown | — | 2.5 | 5y ago | rConfig lib/ajaxHandlers/ajaxAddTemplate.php contains an OS command injection vulnerability that allows remote attackers to execute OS commands via shell metacharacters in the fileName POST parameter. | |||
| CVE-2020-0646 | unknown | — | 2.5 | 5y ago | Microsoft .NET Framework contains an improper input validation vulnerability that allows for remote code execution. | |||
| CVE-2020-1054 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Windows kernel-mode driver fails to properly handle objects in memory. Successful exploitation allows an attacker to execute co… | |||
| CVE-2020-8515 | unknown | — | 2.5 | 5y ago | DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-4428 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.� | |||
| CVE-2020-4427 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially craf… | |||
| CVE-2020-15505 | unknown | — | 2.5 | 5y ago | Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-0674 | unknown | — | 2.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability due to the way the Scripting Engine handles objects in memory. Successful exploitation could allow remote code execution in the … | |||
| CVE-2020-3452 | unknown | — | 2.5 | 5y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerab… | |||
| CVE-2020-10189 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution. | |||
| CVE-2020-11738 | unknown | — | 2.5 | 5y ago | WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their… | |||
| CVE-2020-25213 | unknown | — | 2.5 | 5y ago | WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site. | |||
| CVE-2020-17496 | unknown | — | 2.5 | 5y ago | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. Thi… | |||
| CVE-2020-8260 | unknown | — | 2.5 | 5y ago | Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction. | |||
| CVE-2020-5902 | unknown | — | 2.5 | 5y ago | F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages. | |||
| CVE-2020-8657 | unknown | — | 2.5 | 5y ago | EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token. | |||
| CVE-2020-8655 | unknown | — | 2.5 | 5y ago | EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7. |