CVEs from 2020
Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11971 | unknown | — | — | 5y ago | Improper Input Validation in Apache Camel | |||
| CVE-2020-7709 | unknown | — | — | 5y ago | Prototype pollution in json-pointer | |||
| CVE-2020-10544 | unknown | — | — | 5y ago | Cross-site Scripting in PrimeFaces | |||
| CVE-2020-24554 | unknown | — | — | 5y ago | Open Redirect in Liferay Portal | |||
| CVE-2020-25020 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in MPXJ | |||
| CVE-2020-9298 | unknown | — | — | 5y ago | Server-Side Request Forgery in Spinnaker Orca | |||
| CVE-2020-13933 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-11976 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Wicket | |||
| CVE-2020-1951 | unknown | — | — | 5y ago | Infinite Loop in Apache Tika | |||
| CVE-2020-1950 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in Apache Tika | |||
| CVE-2020-9489 | unknown | — | — | 5y ago | Missing Release of Memory after Effective Lifetime in Apache Tika | |||
| CVE-2020-1957 | unknown | — | — | 5y ago | Improper Authentication in Apache Shiro | |||
| CVE-2020-11989 | unknown | — | — | 5y ago | Improper Authentication in Apache Shiro | |||
| CVE-2020-7712 | unknown | — | — | 5y ago | trentm/json vulnerable to command injection | |||
| CVE-2020-36326 | unknown | — | — | 5y ago | PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a func… | |||
| CVE-2020-5421 | unknown | — | — | 5y ago | Improper Input Validation in Spring Framework | |||
| CVE-2020-5412 | unknown | — | — | 5y ago | Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix | |||
| CVE-2020-10687 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-10705 | unknown | — | — | 5y ago | Allocation of Resources Without Limits or Throttling in Undertow | |||
| CVE-2020-10719 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-26939 | unknown | — | — | 5y ago | Observable Differences in Behavior to Error Inputs in Bouncy Castle | |||
| CVE-2020-35217 | unknown | — | — | 5y ago | Cross-Site Request Forgery in Vert.x-Web framework | |||
| CVE-2020-9447 | unknown | — | — | 5y ago | Cross-site Scripting in GwtUpload | |||
| CVE-2020-13954 | unknown | — | — | 5y ago | Cross-site scripting in Apache CXF | |||
| CVE-2020-7744 | unknown | — | — | 5y ago | Remote Code Execution and download tracking in Mintegral SDK | |||
| CVE-2020-26945 | unknown | — | — | 5y ago | "Deserialization errors in MyBatis" | |||
| CVE-2020-13955 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Apache Calcite | |||
| CVE-2020-17510 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-36319 | unknown | — | — | 5y ago | Potential sensitive data exposure in applications using Vaadin 15 | |||
| CVE-2020-36321 | unknown | — | — | 5y ago | Directory traversal in development mode handler in Vaadin 14 and 15-17 | |||
| CVE-2020-36320 | unknown | — | — | 5y ago | Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7 | |||
| CVE-2020-8908 | unknown | — | — | 5y ago | Information Disclosure in Guava | |||
| CVE-2020-7014 | unknown | — | — | 5y ago | Privilege Escalation Flaw in Elasticsearch | |||
| CVE-2020-7020 | unknown | — | — | 5y ago | Privilege Context Switching Error in Elasticsearch | |||
| CVE-2020-13959 | unknown | — | — | 5y ago | Cross-site scripting (XSS) in Apache Velocity Tools | |||
| CVE-2020-27223 | unknown | — | — | 5y ago | DOS vulnerability for Quoted Quality CSV headers | |||
| CVE-2020-13697 | unknown | — | — | 5y ago | NanoHTTPD Cross-site Scripting vulnerability | |||
| CVE-2020-25649 | unknown | — | — | 5y ago | A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from t… | |||
| CVE-2020-8570 | unknown | — | — | 5y ago | Path Traversal in the Java Kubernetes Client | |||
| CVE-2020-13922 | unknown | — | — | 6y ago | Incorrect Default Permissions in Apache DolphinScheduler | |||
| CVE-2020-26282 | unknown | — | — | 6y ago | Server-Side Template Injection | |||
| CVE-2020-26258 | unknown | — | — | 6y ago | Server-Side Forgery Request can be activated unmarshalling with XStream | |||
| CVE-2020-26259 | unknown | — | — | 6y ago | XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling | |||
| CVE-2020-35460 | unknown | — | — | 6y ago | MPXJ path Traversal vulnerability | |||
| CVE-2020-26274 | unknown | — | — | 6y ago | In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. | |||
| CVE-2020-26234 | unknown | — | — | 6y ago | Disabled Hostname Verification in Opencast | |||
| CVE-2020-27218 | unknown | — | — | 6y ago | Buffer not correctly recycled in Gzip Request inflation | |||
| CVE-2020-26245 | unknown | — | — | 6y ago | npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper poll… | |||
| CVE-2020-26238 | unknown | — | — | 6y ago | Template injection in cron-utils | |||
| CVE-2020-26237 | unknown | — | — | 6y ago | Highlight.js is a syntax highlighter written in JavaScript. Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to Prototype Pollution. A malicious HTML code block can be crafted that will … | |||
| CVE-2020-26217 | unknown | — | — | 6y ago | XStream can be used for Remote Code Execution | |||
| CVE-2020-27216 | unknown | — | — | 6y ago | Local Temp Directory Hijacking Vulnerability | |||
| CVE-2020-35922 | unknown | — | — | 6y ago | An issue was discovered in the mio crate before 0.7.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||
| CVE-2020-26300 | unknown | — | — | 6y ago | systeminformation is an npm package that provides system and OS information library for node.js. In systeminformation before version 4.26.2 there is a command injection vulnerability. Problem was fix… | |||
| CVE-2020-7752 | unknown | — | — | 6y ago | This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execu… | |||
| CVE-2020-8929 | unknown | — | — | 6y ago | Ciphertext Malleability Issue in Tink Java | |||
| CVE-2020-15252 | unknown | — | — | 6y ago | RCE in XWiki | |||
| CVE-2020-15170 | unknown | — | — | 6y ago | Potential access control security issue in apollo-adminservice | |||
| CVE-2020-15171 | unknown | — | — | 6y ago | Users with SCRIPT right can execute arbitrary code in XWiki | |||
| CVE-2020-24660 | unknown | — | — | 6y ago | An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also af… | |||
| CVE-2020-15094 | unknown | — | — | 6y ago | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… | |||
| CVE-2020-12480 | unknown | — | — | 6y ago | CSRF in Play Framework | |||
| CVE-2020-5413 | unknown | — | — | 6y ago | Code execution in Spring Integration | |||
| CVE-2020-13921 | unknown | — | — | 6y ago | SQL Injection in Apache SkyWalking | |||
| CVE-2020-11994 | unknown | — | — | 6y ago | Server side template injection in Apache Camel | |||
| CVE-2020-1937 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13926 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13925 | unknown | — | — | 6y ago | Command Injection in Kylin | |||
| CVE-2020-15231 | unknown | — | — | 6y ago | XSS in Mapfish Print relating to JSONP support | |||
| CVE-2020-15232 | unknown | — | — | 6y ago | XXE attack in Mapfish Print | |||
| CVE-2020-15087 | unknown | — | — | 6y ago | Privilege escalation in Presto | |||
| CVE-2020-14061 | unknown | — | — | 6y ago | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectio… | |||
| CVE-2020-14195 | unknown | — | — | 6y ago | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | |||
| CVE-2020-11612 | unknown | — | — | 6y ago | Denial of Service in Netty | |||
| CVE-2020-5408 | unknown | — | — | 6y ago | Insufficient Entropy in Spring Security | |||
| CVE-2020-7226 | unknown | — | — | 6y ago | Denial of Service in Cryptacular | |||
| CVE-2020-10683 | unknown | — | — | 6y ago | dom4j allows External Entities by default which might enable XXE attacks | |||
| CVE-2020-5407 | unknown | — | — | 6y ago | Signature wrapping vulnerability in Spring Security | |||
| CVE-2020-5405 | unknown | — | — | 6y ago | Directory traversal attack in Spring Cloud Config | |||
| CVE-2020-1963 | unknown | — | — | 6y ago | File system access via H2 in Apache Ignite | |||
| CVE-2020-13625 | unknown | — | — | 6y ago | PHPMailer before 6.1.6 contains an output escaping bug when the name of a file attachment contains a double quote character. This can result in the file type being misinterpreted by the receiver or a… | |||
| CVE-2020-11973 | unknown | — | — | 6y ago | Apache Camel Netty enables Java deserialization by default | |||
| CVE-2020-1941 | unknown | — | — | 6y ago | Apache ActiveMQ webconsole admin GUI is open to XSS | |||
| CVE-2020-5529 | unknown | — | — | 6y ago | Code execution vulnerability in HtmlUnit | |||
| CVE-2020-1953 | unknown | — | — | 6y ago | Remote code execution in Apache Commons Configuration | |||
| CVE-2020-10968 | unknown | — | — | 6y ago | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | |||
| CVE-2020-11111 | unknown | — | — | 6y ago | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, a… | |||
| CVE-2020-7647 | unknown | — | — | 6y ago | path traversal in Jooby | |||
| CVE-2020-11050 | unknown | — | — | 6y ago | Improper Validation of Certificate with Host Mismatch in Java-WebSocket | |||
| CVE-2020-1929 | unknown | — | — | 6y ago | Improper Certificate Validation in Apache Beam | |||
| CVE-2020-11009 | unknown | — | — | 6y ago | IDOR can reveal execution data and logs to unauthorized user in Rundeck | |||
| CVE-2020-10969 | unknown | — | — | 6y ago | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | |||
| CVE-2020-11620 | unknown | — | — | 6y ago | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly). | |||
| CVE-2020-11007 | unknown | — | — | 6y ago | Negative charge in shopping cart in Shopizer | |||
| CVE-2020-1728 | unknown | — | — | 6y ago | Improper Restriction of Rendered UI Layers or Frames in Keycloak | |||
| CVE-2020-1731 | unknown | — | — | 6y ago | Predictable password in Keycloak | |||
| CVE-2020-1697 | unknown | — | — | 6y ago | XSS in Keycloak | |||
| CVE-2020-10203 | unknown | — | — | 6y ago | Persistent Cross-Site scripting in Nexus Repository Manager | |||
| CVE-2020-10204 | unknown | — | — | 6y ago | Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager | |||
| CVE-2020-11002 | unknown | — | — | 6y ago | Remote Code Execution (RCE) vulnerability in dropwizard-validation |