CVEs from 2020
Total
3,797
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-4427 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially craf… | |||
| CVE-2020-15505 | unknown | — | 2.5 | 5y ago | Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-14871 | unknown | — | 2.5 | 5y ago | Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected systems. | |||
| CVE-2020-2555 | unknown | — | 2.5 | 5y ago | Multiple Oracle products contain a remote code execution vulnerability that allows an unauthenticated attacker with network access via T3 or HTTP to takeover the affected system. Impacted Oracle prod… | |||
| CVE-2020-14883 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability. | |||
| CVE-2020-3952 | unknown | — | 2.5 | 5y ago | VMware vCenter Server contains an information disclosure vulnerability in the VMware Directory Service (vmdir) when the Platform Services Controller (PSC) does not correctly implement access controls… | |||
| CVE-2020-14882 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related to CVE-2020-14750. | |||
| CVE-2020-5902 | unknown | — | 2.5 | 5y ago | F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages. | |||
| CVE-2020-10221 | unknown | — | 2.5 | 5y ago | rConfig lib/ajaxHandlers/ajaxAddTemplate.php contains an OS command injection vulnerability that allows remote attackers to execute OS commands via shell metacharacters in the fileName POST parameter. | |||
| CVE-2020-6287 | unknown | — | 2.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create adminis… | |||
| CVE-2020-6207 | unknown | — | 2.5 | 5y ago | SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution M… | |||
| CVE-2020-3161 | unknown | — | 2.5 | 5y ago | Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (… | |||
| CVE-2020-16117 | low | — | 2.5 | 5y ago | RHSA-2021:1752: evolution security, bug fix, and enhancement update (Low) | |||
| CVE-2020-36318 | low | — | 2.5 | 5y ago | In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or doub… | |||
| CVE-2020-36317 | low | — | 2.5 | 5y ago | In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could res… | |||
| CVE-2020-13927 | unknown | — | 2.5 | 5y ago | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication. | |||
| CVE-2020-29651 | low | — | 2.5 | 5y ago | A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying … | |||
| CVE-2020-17519 | unknown | — | 2.5 | 6y ago | Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. | |||
| CVE-2020-3898 | low | — | 2.5 | 6y ago | RHSA-2020:4469: cups security and bug fix update (Low) | |||
| CVE-2020-11736 | low | — | 2.5 | 6y ago | RHSA-2021:4179: file-roller security update (Low) | |||
| CVE-2020-14928 | low | — | 2.5 | 6y ago | RHSA-2020:4649: evolution security and bug fix update (Low) | |||
| CVE-2020-12803 | low | — | 2.5 | 6y ago | ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable f… | |||
| CVE-2020-12802 | low | — | 2.5 | 6y ago | LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who w… | |||
| CVE-2020-10759 | low | — | 2.5 | 6y ago | A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practi… | |||
| CVE-2020-11978 | unknown | — | 2.5 | 6y ago | A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow. | |||
| CVE-2020-5410 | unknown | — | 2.5 | 6y ago | Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability that allows applications to serve arbitrary configuration files. | |||
| CVE-2020-11078 | low | — | 2.5 | 6y ago | RHSA-2020:4605: resource-agents security and bug fix update (Low) | |||
| CVE-2020-11054 | low | — | 2.5 | 6y ago | In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (col… | |||
| CVE-2020-10199 | unknown | — | 2.5 | 6y ago | Sonatype Nexus Repository contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-15719 | low | — | 2.5 | 7y ago | RHBA-2019:3674: openldap bug fix and enhancement update (Low) | |||
| CVE-2020-8562 | low | 2.2 | 2.2 | 4y ago | As mitigations to a report from 2019 and CVE-2020-8555, Kubernetes attempts to prevent proxied connections from accessing link-local or localhost networks when making user-driven connections to Servi… | |||
| CVE-2020-9715 | unknown | — | 1.5 | 2mo ago | Adobe Acrobat contains a use-after-free vulnerability that allows for code execution | |||
| CVE-2020-7796 | unknown | — | 1.5 | 4mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled. | |||
| CVE-2020-25079 | unknown | — | 1.5 | 10mo ago | D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users shou… | |||
| CVE-2020-25078 | unknown | — | 1.5 | 10mo ago | D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end… | |||
| CVE-2020-15069 | unknown | — | 1.5 | 1y ago | Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature. | |||
| CVE-2020-29574 | unknown | — | 1.5 | 1y ago | CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely. | |||
| CVE-2020-15415 | unknown | — | 1.5 | 2y ago | DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacte… | |||
| CVE-2020-14644 | unknown | — | 1.5 | 2y ago | Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerabi… | |||
| CVE-2020-13965 | unknown | — | 1.5 | 2y ago | Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. | |||
| CVE-2020-3259 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which cou… | |||
| CVE-2020-2551 | unknown | — | 1.5 | 3y ago | Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server. | |||
| CVE-2020-12641 | unknown | — | 1.5 | 3y ago | Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | |||
| CVE-2020-9907 | unknown | — | 1.5 | 4y ago | Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-0638 | unknown | — | 1.5 | 4y ago | Microsoft Update Notification Manager contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2020-1027 | unknown | — | 1.5 | 4y ago | An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated … | |||
| CVE-2020-2509 | unknown | — | 1.5 | 4y ago | QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. | |||
| CVE-2020-1631 | unknown | — | 1.5 | 4y ago | A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZT… | |||
| CVE-2020-2021 | unknown | — | 1.5 | 4y ago | Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication. | |||
| CVE-2020-2506 | unknown | — | 1.5 | 4y ago | QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information. | |||
| CVE-2020-9377 | unknown | — | 1.5 | 4y ago | D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php. | |||
| CVE-2020-9054 | unknown | — | 1.5 | 4y ago | Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code. | |||
| CVE-2020-5135 | unknown | — | 1.5 | 4y ago | A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. | |||
| CVE-2020-8218 | unknown | — | 1.5 | 4y ago | A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. | |||
| CVE-2020-11899 | unknown | — | 1.5 | 4y ago | The Treck TCP/IP stack contains an IPv6 out-of-bounds read vulnerability. | |||
| CVE-2020-6572 | unknown | — | 1.5 | 5y ago | Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | |||
| CVE-2020-17463 | unknown | — | 1.5 | 5y ago | FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. | |||
| CVE-2020-11261 | unknown | — | 1.5 | 5y ago | Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Con… | |||
| CVE-2020-4430 | unknown | — | 1.5 | 5y ago | IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitr… | |||
| CVE-2020-3566 | unknown | — | 1.5 | 5y ago | Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to … | |||
| CVE-2020-9819 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, and watchOS Mail contains a memory corruption vulnerability that may allow heap corruption when processing a maliciously crafted mail message. | |||
| CVE-2020-10148 | unknown | — | 1.5 | 5y ago | SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands. | |||
| CVE-2020-27950 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, and watchOS contain a memory initialization vulnerability that may allow a malicious application to disclose kernel memory. | |||
| CVE-2020-26919 | unknown | — | 1.5 | 5y ago | Netgear JGS516PE devices contain a missing function level access control vulnerability. | |||
| CVE-2020-1350 | unknown | — | 1.5 | 5y ago | Microsoft Windows DNS Servers fail to properly handle requests, allowing an attacker to perform remote code execution in the context of the Local System Account. The vulnerability is also known under… | |||
| CVE-2020-1464 | unknown | — | 1.5 | 5y ago | Microsoft Windows contains a spoofing vulnerability when Windows incorrectly validates file signatures, allowing an attacker to bypass security features and load improperly signed files. | |||
| CVE-2020-1040 | unknown | — | 1.5 | 5y ago | Microsoft Hyper-V RemoteFX vGPU contains an improper input validation vulnerability due to the host server failing to properly validate input from an authenticated user on a guest operating system. S… | |||
| CVE-2020-0878 | unknown | — | 1.5 | 5y ago | Microsoft Edge and Internet Explorer contain a memory corruption vulnerability that allows attackers to execute code in the context of the current user. | |||
| CVE-2020-27930 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, and watchOS FontParser contain a memory corruption vulnerability which may allow for code execution when processing maliciously crafted front. | |||
| CVE-2020-3118 | unknown | — | 1.5 | 5y ago | Cisco IOS XR improperly validates string input from certain fields in Cisco Discovery Protocol messages. Exploitation could allow an unauthenticated, adjacent attacker to execute code with administra… | |||
| CVE-2020-8195 | unknown | — | 1.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an information disclosure vulnerability. | |||
| CVE-2020-8193 | unknown | — | 1.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an authorization bypass vulnerability that may allow unauthenticated access to certain URL endpoints. The attacke… | |||
| CVE-2020-3569 | unknown | — | 1.5 | 5y ago | Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to … | |||
| CVE-2020-27932 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, and watchOS contain a type confusion vulnerability that may allow a malicious application to execute code with kernel privileges. | |||
| CVE-2020-25506 | unknown | — | 1.5 | 5y ago | D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution. | |||
| CVE-2020-29557 | unknown | — | 1.5 | 5y ago | D-Link DIR-825 R1 devices contain a buffer overflow vulnerability in the web interface that may allow for remote code execution. | |||
| CVE-2020-8196 | unknown | — | 1.5 | 5y ago | Citrix ADC, Citrix Gateway, and multiple Citrix SD-WAN WANOP appliance models contain an information disclosure vulnerability. | |||
| CVE-2020-9818 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, and watchOS Mail contains an out-of-bounds write vulnerability which may allow memory modification or application termination when processing a maliciously crafted mail message. | |||
| CVE-2020-0968 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability due to how the Scripting Engine handles objects in memory, leading to remote code execution. | |||
| CVE-2020-12812 | unknown | — | 1.5 | 5y ago | Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the second factor of authentication (FortiToken) if t… | |||
| CVE-2020-0041 | unknown | — | 1.5 | 5y ago | Android Kernel binder_transaction of binder.c contains an out-of-bounds write vulnerability due to an incorrect bounds check that could allow for local privilege escalation. This vulnerability was ob… | |||
| CVE-2020-8599 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One and OfficeScan server contain a vulnerable EXE file that could allow a remote attacker to write data to a path on affected installations and bypass root login. | |||
| CVE-2020-0069 | unknown | — | 1.5 | 5y ago | Multiple MediaTek chipsets contain an insufficient input validation vulnerability and have missing SELinux restrictions in the Command Queue drivers ioctl handlers. This causes an out-of-bounds write… | |||
| CVE-2020-10987 | unknown | — | 1.5 | 5y ago | Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter. | |||
| CVE-2020-8468 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One, OfficeScan, and Worry-Free Business Security agents contain a content validation escape vulnerability that could allow an attacker to manipulate certain agent client components. | |||
| CVE-2020-16010 | unknown | — | 1.5 | 5y ago | Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted … | |||
| CVE-2020-9859 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, watchOS, and tvOS contain an unspecified vulnerability that may allow an application to execute code with kernel privileges. | |||
| CVE-2020-17087 | unknown | — | 1.5 | 5y ago | Microsoft Windows kernel contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2020-8467 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One and OfficeScan contain an unspecified vulnerability within a migration tool component that allows for remote code execution. | |||
| CVE-2020-17144 | unknown | — | 1.5 | 5y ago | Microsoft Exchange Server improperly validates cmdlet arguments which allow an attacker to perform remote code execution. | |||
| CVE-2020-0986 | unknown | — | 1.5 | 5y ago | Microsoft Windows kernel contains an unspecified vulnerability when handling objects in memory that allows attackers to escalate privileges and execute code in kernel mode. | |||
| CVE-2020-3580 | unknown | — | 1.5 | 5y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful ex… | |||
| CVE-2020-24557 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One, OfficeScan, and Worry-Free Business Security on Microsoft Windows contain an improper access control vulnerability that may allow an attacker to manipulate a particular product … | |||
| CVE-2020-3992 | unknown | — | 1.5 | 5y ago | VMware ESXi OpenSLP contains a use-after-free vulnerability that allows an attacker residing in the management network with access to port 427 to perform remote code execution. | |||
| CVE-2020-4006 | unknown | — | 1.5 | 5y ago | VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector contain a command injection vulnerability. An attacker with network access to the administrative config… | |||
| CVE-2020-8243 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure contains an unspecified vulnerability in the admin web interface that could allow an authenticated attacker to upload a custom template to perform code execution. | |||
| CVE-2020-29583 | unknown | — | 1.5 | 5y ago | Zyxel firewalls (ATP, USG, VM) and AP Controllers (NXC2500 and NXC5500) contain a use of hard-coded credentials vulnerability in an undocumented account ("zyfwp") with an unchangeable password. | |||
| CVE-2020-0938 | unknown | — | 1.5 | 5y ago | Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code exec… | |||
| CVE-2020-1020 | unknown | — | 1.5 | 5y ago | Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code exec… | |||
| CVE-2020-1380 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. |