CVEs from 2020
Total
3,797
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-2727 | unknown | — | — | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.36, prior to 6.0.16 and prior to 6.1.2. Easily expl… | |||
| CVE-2020-15861 | unknown | — | — | — | Net-SNMP through 5.7.3 allows Escalation of Privileges because of UNIX symbolic link (symlink) following. | |||
| CVE-2020-6543 | unknown | — | — | — | Use after free in task scheduling in Google Chrome prior to 84.0.4147.125 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-27674 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x allowing x86 PV guest OS users to gain guest OS privileges by modifying kernel memory contents, because invalidation of TLB entries is mishandled during … | |||
| CVE-2020-27670 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x allowing x86 guest OS users to cause a denial of service (data corruption), cause a data leak, or possibly gain privileges because an AMD IOMMU page-tabl… | |||
| CVE-2020-25599 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-7… | |||
| CVE-2020-25597 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen ass… | |||
| CVE-2020-24265 | unknown | — | — | — | An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap buffer overflow vulnerability in MemcmpInterceptorCommon() that can make tcpprep crash and cause a denial of service. | |||
| CVE-2020-24661 | unknown | — | — | — | GNOME Geary before 3.36.3 mishandles pinned TLS certificate verification for IMAP and SMTP services using invalid TLS certificates (e.g., self-signed certificates) when the client system is not confi… | |||
| CVE-2020-13428 | unknown | — | — | — | A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of … | |||
| CVE-2020-26148 | unknown | — | — | — | md_push_block_bytes in md4c.c in md4c 0.4.5 allows attackers to trigger use of uninitialized memory, and cause a denial of service (e.g., assertion failure) via a malformed Markdown document. | |||
| CVE-2020-22048 | unknown | — | — | — | A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory leak in the ff_frame_pool_get function in framepool.c. | |||
| CVE-2020-15473 | unknown | — | — | — | In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-based buffer over-read in ndpi_search_openvpn in lib/protocols/openvpn.c. | |||
| CVE-2020-15474 | unknown | — | — | — | In nDPI through 3.2, there is a stack overflow in extractRDNSequence in lib/protocols/tls.c. | |||
| CVE-2020-6492 | unknown | — | — | — | Use after free in ANGLE in Google Chrome prior to 83.0.4103.97 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-11061 | unknown | — | — | — | In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initi… | |||
| CVE-2020-27352 | unknown | — | — | — | When generating the systemd service units for the docker snap (and other similar snaps), snapd does not specify Delegate=yes - as a result systemd will move processes from the containers created and … | |||
| CVE-2020-6106 | unknown | — | — | — | An exploitable information disclosure vulnerability exists in the init_node_manager functionality of F2fs-Tools F2fs.Fsck 1.12 and 1.13. A specially crafted filesystem can be used to disclose informa… | |||
| CVE-2020-24361 | unknown | — | — | — | SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, PREXEC, or unknown_trap_exec. | |||
| CVE-2020-25887 | unknown | — | — | — | Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file. | |||
| CVE-2020-6105 | unknown | — | — | — | An exploitable code execution vulnerability exists in the multiple devices functionality of F2fs-Tools F2fs.Fsck 1.13. A specially crafted f2fs filesystem can cause Information overwrite resulting in… | |||
| CVE-2020-12062 | unknown | — | — | — | The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbit… | |||
| CVE-2020-6501 | unknown | — | — | — | Insufficient policy enforcement in CSP in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2020-20739 | unknown | — | — | — | im_vips2dz in /libvips/libvips/deprecated/im_vips2dz.c in libvips before 8.8.2 has an uninitialized variable which may cause the leakage of remote server path or stack address. | |||
| CVE-2020-9274 | unknown | — | — | — | An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer vulnerability has been detected in the diraliases linked list. When the *lookup_alias(const char alias) or print_aliases(void) fu… | |||
| CVE-2020-14713 | unknown | — | — | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.44, prior to 6.0.24 and prior to 6.1.12. Difficult … | |||
| CVE-2020-19909 | unknown | — | — | — | Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via a large value as the retry delay. NOTE: many parties report that this has no direct security impact on the curl user; however, it m… | |||
| CVE-2020-14059 | unknown | — | — | — | An issue was discovered in Squid 5.x before 5.0.3. Due to an Incorrect Synchronization, a Denial of Service can occur when processing objects in an SMP cache because of an Ipc::Mem::PageStack::pop AB… | |||
| CVE-2020-21468 | unknown | — | — | — | A segmentation fault in the redis-server component of Redis 5.0.7 leads to a denial of service (DOS). NOTE: the vendor cannot reproduce this issue in a released version, such as 5.0.7 | |||
| CVE-2020-16045 | unknown | — | — | — | Use after Free in Payments in Google Chrome on Android prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted H… | |||
| CVE-2020-27351 | unknown | — | — | — | Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prio… | |||
| CVE-2020-2907 | unknown | — | — | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.40, prior to 6.0.20 and prior to 6.1.6. Difficult t… | |||
| CVE-2020-19752 | unknown | — | — | — | The find_color_or_error function in gifsicle 1.92 contains a NULL pointer dereference. | |||
| CVE-2020-8224 | unknown | — | — | — | A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory. | |||
| CVE-2020-5291 | unknown | — | — | — | Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process kee… | |||
| CVE-2020-14378 | unknown | — | — | — | An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the `move_desc` function can lead to large amounts of CPU cycles being eaten up in a long running loop. An attacker could c… | |||
| CVE-2020-9493 | unknown | — | — | — | ||||
| CVE-2020-11880 | unknown | — | — | — | An issue was discovered in KDE KMail before 19.12.3. By using the proprietary (non-RFC6068) "mailto?attach=..." parameter, a website (or other source of mailto links) can make KMail attach local file… | |||
| CVE-2020-29571 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x. A bounds check common to most operation time functions specific to FIFO event channels depends on the CPU observing consistent state. While the producer… | |||
| CVE-2020-29488 | unknown | — | — | — | ||||
| CVE-2020-29566 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x. When they require assistance from the device model, x86 HVM guests must be temporarily de-scheduled. The device model will signal Xen when it has comple… | |||
| CVE-2020-29484 | unknown | — | — | — | An issue was discovered in Xen through 4.14.x. When a Xenstore watch fires, the xenstore client that registered the watch will receive a Xenstore message containing the path of the modified Xenstore … | |||
| CVE-2020-11865 | unknown | — | — | — | libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows out-of-bounds memory access. | |||
| CVE-2020-6797 | unknown | — | — | — | By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download … | |||
| CVE-2020-16003 | unknown | — | — | — | Use after free in printing in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-19185 | unknown | — | — | — | Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command. | |||
| CVE-2020-2585 | unknown | — | — | — | Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u231. Difficult to exploit vulnerability allows unauthenticated attacke… | |||
| CVE-2020-37044 | unknown | — | — | 4mo ago | OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malici… | |||
| CVE-2020-37041 | unknown | — | — | 4mo ago | OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with … | |||
| CVE-2020-36962 | unknown | — | — | 4mo ago | Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payload… | |||
| CVE-2020-36947 | unknown | — | — | 4mo ago | LibreNMS contains an authenticated SQL Injection vulnerability | |||
| CVE-2020-25635 | unknown | — | — | 7mo ago | A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. Th… | |||
| CVE-2020-36851 | unknown | — | — | 8mo ago | cors-anywhere vulnerable to server-side request forgery | |||
| CVE-2020-36843 | unknown | — | — | 1y ago | Ed25519 Signature Malleability in ed25519-java Due to Missing Scalar Range Check | |||
| CVE-2020-26311 | unknown | — | — | 2y ago | useragent Regular Expression Denial of Service vulnerability | |||
| CVE-2020-26305 | unknown | — | — | 2y ago | CommonRegexJS Regular Expression Denial of Service vulnerability | |||
| CVE-2020-26304 | unknown | — | — | 2y ago | Foundation Regular Expression Denial of Service vulnerability | |||
| CVE-2020-26309 | unknown | — | — | 2y ago | nope-validator Regular Expression Denial of Service vulnerability | |||
| CVE-2020-26306 | unknown | — | — | 2y ago | Knwl.js Regular Expression Denial of Service vulnerability | |||
| CVE-2020-26308 | unknown | — | — | 2y ago | validate.js Regular Expression Denial of Service vulnerability | |||
| CVE-2020-26303 | unknown | — | — | 2y ago | insane vulnerable to Regular Expression Denial of Service | |||
| CVE-2020-36830 | unknown | — | — | 2y ago | ReDoS in urlregex | |||
| CVE-2020-15100 | unknown | — | — | 2y ago | In freewvs before 0.1.1, a user could create a large file that freewvs will try to read, which will terminate a scan process. This has been patched in 0.1.1. | |||
| CVE-2020-15101 | unknown | — | — | 2y ago | In freewvs before 0.1.1, a directory structure of more than 1000 nested directories can interrupt a freewvs scan due to Python's recursion limit and os.walk(). This can be problematic in a case where… | |||
| CVE-2020-11093 | unknown | — | — | 2y ago | Hyperledger Indy Node is the server portion of a distributed ledger purpose-built for decentralized identity. In Hyperledger Indy before version 1.12.4, there is lack of signature verification on a s… | |||
| CVE-2020-35125 | unknown | — | — | 2y ago | Mautic is vulnerable to XSS vulnerability | |||
| CVE-2020-26312 | unknown | — | — | 2y ago | dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh | |||
| CVE-2020-14316 | unknown | — | — | 2y ago | Privilege Escalation in kubevirt in kubevirt.io/kubevirt | |||
| CVE-2020-8563 | unknown | — | — | 2y ago | In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.… | |||
| CVE-2020-8566 | unknown | — | — | 2y ago | In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during p… | |||
| CVE-2020-10937 | unknown | — | — | 2y ago | Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs | |||
| CVE-2020-8557 | unknown | — | — | 2y ago | The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted i… | |||
| CVE-2020-8559 | unknown | — | — | 2y ago | The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an att… | |||
| CVE-2020-7666 | unknown | — | — | 2y ago | github.com/u-root/u-root/pkg/cpio Arbitrary File Write via Archive Extraction (Zip Slip) | |||
| CVE-2020-27534 | unknown | — | — | 2y ago | util/binfmt_misc/check.go in Builder in Docker Engine before 19.03.9 calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.T… | |||
| CVE-2020-16251 | unknown | — | — | 2y ago | HashiCorp Vault Authentication bypass in github.com/hashicorp/vault | |||
| CVE-2020-15136 | unknown | — | — | 2y ago | In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on e… | |||
| CVE-2020-15114 | unknown | — | — | 2y ago | In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoin… | |||
| CVE-2020-15113 | unknown | — | — | 2y ago | In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS con… | |||
| CVE-2020-10660 | unknown | — | — | 2y ago | HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault | |||
| CVE-2020-10661 | unknown | — | — | 2y ago | HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault | |||
| CVE-2020-26625 | unknown | — | — | 3y ago | Gila CMS SQL Injection vulnerability | |||
| CVE-2020-26624 | unknown | — | — | 3y ago | Gila CMS SQL Injection vulnerability | |||
| CVE-2020-26623 | unknown | — | — | 3y ago | Gila CMS SQL Injection | |||
| CVE-2020-18831 | unknown | — | — | 3y ago | Buffer Overflow vulnerability in tEXtToDataBuf function in pngimage.cpp in Exiv2 0.27.1 allows remote attackers to cause a denial of service and other unspecified impacts via use of crafted file. | |||
| CVE-2020-35141 | unknown | — | — | 3y ago | FaucetSDN Ryu Denial of Service Vulnerability | |||
| CVE-2020-25915 | unknown | — | — | 3y ago | ThinkCMF Cross-site Scripting Vulnerability | |||
| CVE-2020-24922 | unknown | — | — | 3y ago | xuxueli xxl-job Cross-Site Request Forgery Vulnerability | |||
| CVE-2020-35139 | unknown | — | — | 3y ago | FaucetSDN Ryu Denial of Service Vulnerability | |||
| CVE-2020-20523 | unknown | — | — | 3y ago | Gila CMS Cross-site Scripting Vulnerability | |||
| CVE-2020-36664 | unknown | — | — | 3y ago | Artesãos SEOTools Open Redirect vulnerability | |||
| CVE-2020-36663 | unknown | — | — | 3y ago | Artesãos SEOTools Open Redirect vulnerability | |||
| CVE-2020-36665 | unknown | — | — | 3y ago | Artesãos SEOTools Open Redirect vulnerability | |||
| CVE-2020-26302 | unknown | — | — | 3y ago | is_js vulnerable to Regular Expression Denial of Service | |||
| CVE-2020-26709 | unknown | — | — | 3y ago | py-xml v1.0 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | |||
| CVE-2020-26708 | unknown | — | — | 3y ago | requests-xml v0.2.3 was discovered to contain an XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | |||
| CVE-2020-26710 | unknown | — | — | 3y ago | easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML file. | |||
| CVE-2020-23064 | unknown | — | — | 3y ago | jQuery Cross Site Scripting vulnerability | |||
| CVE-2020-21489 | unknown | — | — | 3y ago | Liufee CMS File Upload vulnerability | |||
| CVE-2020-21485 | unknown | — | — | 3y ago | Alluxio Cross Site Scripting vulnerability |