CVEs from 2020
Total
3,802
critical
critical 206
high
high 563
medium
medium 743
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-35701 | high | — | 8.0 | — | An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id paramete… | |||
| CVE-2020-6505 | high | — | 8.0 | — | Use after free in speech in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-28021 | high | — | 8.0 | — | Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code executi… | |||
| CVE-2020-1723 | high | — | 8.0 | — | multiple issues in keycloak | |||
| CVE-2020-6488 | high | — | 8.0 | — | Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-6477 | high | — | 8.0 | — | Inappropriate implementation in installer in Google Chrome on OS X prior to 83.0.4103.61 allowed a local attacker to perform privilege escalation via a crafted file. | |||
| CVE-2020-6573 | high | — | 8.0 | — | Use after free in video in Google Chrome on Android prior to 85.0.4183.102 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTM… | |||
| CVE-2020-15995 | high | — | 8.0 | — | Out of bounds write in V8 in Google Chrome prior to 86.0.4240.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6479 | high | — | 8.0 | — | Inappropriate implementation in sharing in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2020-16043 | high | — | 8.0 | — | Insufficient data validation in networking in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to bypass discretionary access control via malicious network traffic. | |||
| CVE-2020-8169 | high | — | 8.0 | — | curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s). | |||
| CVE-2020-6481 | high | — | 8.0 | — | Insufficient policy enforcement in URL formatting in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to perform domain spoofing via a crafted domain name. | |||
| CVE-2020-16038 | high | — | 8.0 | — | Use after free in media in Google Chrome on OS X prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6486 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-16028 | high | — | 8.0 | — | Heap buffer overflow in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-16015 | high | — | 8.0 | — | Insufficient data validation in WASM in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-1716 | high | — | 8.0 | — | Important: Rocky Enterprise Software Foundation Ceph Storage 4.1 security, bug fix, and enhancement update | |||
| CVE-2020-6466 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-6462 | high | — | 8.0 | — | Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML… | |||
| CVE-2020-3123 | high | — | 8.0 | — | A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service … | |||
| CVE-2020-6445 | high | — | 8.0 | — | Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page. | |||
| CVE-2020-6461 | high | — | 8.0 | — | Use after free in storage in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-16034 | high | — | 8.0 | — | Inappropriate implementation in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a local attacker to bypass policy restrictions via a crafted HTML page. | |||
| CVE-2020-15889 | high | — | 8.0 | — | Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. | |||
| CVE-2020-15965 | high | — | 8.0 | — | Type confusion in V8 in Google Chrome prior to 85.0.4183.121 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2020-6420 | high | — | 8.0 | — | Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||
| CVE-2020-6448 | high | — | 8.0 | — | Use after free in V8 in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-16119 | high | — | 8.0 | — | Use-after-free vulnerability in the Linux kernel exploitable by a local attacker due to reuse of a DCCP socket with an attached dccps_hc_tx_ccid object as a listener after being released. Fixed in Ub… | |||
| CVE-2020-6458 | high | — | 8.0 | — | Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2020-16019 | high | — | 8.0 | — | Inappropriate implementation in filesystem in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a mal… | |||
| CVE-2020-28020 | high | — | 8.0 | — | Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header… | |||
| CVE-2020-6487 | high | — | 8.0 | — | Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-6473 | high | — | 8.0 | — | Insufficient policy enforcement in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2020-6437 | high | — | 8.0 | — | Inappropriate implementation in WebView in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted application. | |||
| CVE-2020-15166 | high | — | 8.0 | — | In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and con… | |||
| CVE-2020-6494 | high | — | 8.0 | — | Incorrect security UI in payments in Google Chrome on Android prior to 83.0.4103.97 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2020-35680 | high | — | 8.0 | — | smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted pattern of cl… | |||
| CVE-2020-6429 | high | — | 8.0 | — | Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-28016 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase. | |||
| CVE-2020-35176 | high | — | 8.0 | — | In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf fo… | |||
| CVE-2020-6493 | high | — | 8.0 | — | Use after free in WebAuthentication in Google Chrome prior to 83.0.4103.97 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTM… | |||
| CVE-2020-28024 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can … | |||
| CVE-2020-6482 | high | — | 8.0 | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions v… | |||
| CVE-2020-6474 | high | — | 8.0 | — | Use after free in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6468 | high | — | 8.0 | — | Type confusion in V8 in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6467 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-12409 | high | — | 8.0 | — | When using certain blank characters in a URL, they where incorrectly rendered as spaces instead of an encoded URL. This vulnerability affects Firefox < 77. | |||
| CVE-2020-6491 | high | — | 8.0 | — | Insufficient data validation in site information in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted domain name. | |||
| CVE-2020-28026 | high | — | 8.0 | — | Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline … | |||
| CVE-2020-6476 | high | — | 8.0 | — | Insufficient policy enforcement in tab strip in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a c… | |||
| CVE-2020-24654 | high | — | 8.0 | — | arbitrary filesystem access in ark | |||
| CVE-2020-15674 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Firefox 80. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2020-16018 | high | — | 8.0 | — | Use after free in payments in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-28017 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of res… | |||
| CVE-2020-6438 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive informat… | |||
| CVE-2020-6509 | high | — | 8.0 | — | Use after free in extensions in Google Chrome prior to 83.0.4103.116 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Ch… | |||
| CVE-2020-15888 | high | — | 8.0 | — | Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free. | |||
| CVE-2020-28025 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might le… | |||
| CVE-2020-4032 | high | — | 8.0 | — | In FreeRDP before version 2.1.2, there is an integer casting vulnerability in update_recv_secondary_order. All clients with +glyph-cache /relax-order-checks are affected. This is fixed in version 2.1… | |||
| CVE-2020-6483 | high | — | 8.0 | — | Insufficient policy enforcement in payments in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-8835 | high | — | 8.0 | — | In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel … | |||
| CVE-2020-6456 | high | — | 8.0 | — | Insufficient validation of untrusted input in clipboard in Google Chrome prior to 81.0.4044.92 allowed a local attacker to bypass site isolation via crafted clipboard contents. | |||
| CVE-2020-28014 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. | |||
| CVE-2020-28023 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client. | |||
| CVE-2020-6432 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-15675 | high | — | 8.0 | — | When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 81. | |||
| CVE-2020-26979 | high | — | 8.0 | — | When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the d… | |||
| CVE-2020-6470 | high | — | 8.0 | — | Insufficient validation of untrusted input in clipboard in Google Chrome prior to 83.0.4103.61 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via crafted clipboard contents. | |||
| CVE-2020-27780 | high | — | 8.0 | — | A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of … | |||
| CVE-2020-6485 | high | — | 8.0 | — | Insufficient data validation in media router in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted … | |||
| CVE-2020-6459 | high | — | 8.0 | — | Use after free in payments in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6469 | high | — | 8.0 | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox es… | |||
| CVE-2020-16022 | high | — | 8.0 | — | Insufficient policy enforcement in networking in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially bypass firewall controls via a crafted HTML page. | |||
| CVE-2020-6579 | high | — | 8.0 | — | multiple issues in chromium | |||
| CVE-2020-16025 | high | — | 8.0 | — | Heap buffer overflow in clipboard in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML … | |||
| CVE-2020-16026 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6422 | high | — | 8.0 | — | Use after free in WebGL in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-12407 | high | — | 8.0 | — | Mozilla Developer Nicolas Silva found that when using WebRender, Firefox would under certain conditions leak arbitrary GPU memory to the visible screen. The leaked memory content was visible to the u… | |||
| CVE-2020-26164 | high | — | 8.0 | — | In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a De… | |||
| CVE-2020-6426 | high | — | 8.0 | — | Inappropriate implementation in V8 in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-23171 | high | — | 8.0 | — | multiple issues in nim | |||
| CVE-2020-6427 | high | — | 8.0 | — | Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-28018 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL. | |||
| CVE-2020-6441 | high | — | 8.0 | — | Insufficient policy enforcement in omnibox in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass security UI via a crafted HTML page. | |||
| CVE-2020-12411 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Firefox 76. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2020-28022 | high | — | 8.0 | — | Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands. | |||
| CVE-2020-12408 | high | — | 8.0 | — | When browsing a document hosted on an IP address, an attacker could insert certain characters to flip domain and path information in the address bar. This vulnerability affects Firefox < 77. | |||
| CVE-2020-14387 | high | — | 8.0 | — | A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing… | |||
| CVE-2020-35733 | high | — | 8.0 | — | An issue was discovered in Erlang/OTP before 23.2.2. The ssl application 10.2 accepts and trusts an invalid X.509 certificate chain to a trusted root Certification Authority. | |||
| CVE-2020-28926 | high | — | 8.0 | — | ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code execution. Sending a malicious UPnP HTTP request to the miniDLNA service using HTTP chunked encoding can lead to a signedness bug re… | |||
| CVE-2020-28019 | high | — | 8.0 | — | Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a clien… | |||
| CVE-2020-10745 | high | — | 8.0 | — | A flaw was found in all Samba versions before 4.10.17, before 4.11.11 and before 4.12.4 in the way it processed NetBios over TCP/IP. This flaw allows a remote attacker could to cause the Samba server… | |||
| CVE-2020-10760 | high | — | 8.0 | — | A use-after-free flaw was found in all samba LDAP server versions before 4.10.17, before 4.11.11, before 4.12.4 used in a AC DC configuration. A Samba LDAP user could use this flaw to crash samba. | |||
| CVE-2020-26972 | high | — | 8.0 | — | The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. Such a check w… | |||
| CVE-2020-6424 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-35114 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2020-28009 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation … | |||
| CVE-2020-28012 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. | |||
| CVE-2020-28008 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input s… | |||
| CVE-2020-28013 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the i… |