CVEs from 2020
Total
3,797
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-20726 | unknown | — | — | 3y ago | GilaCMS Cross Site Request Forgery vulnerability | |||
| CVE-2020-21174 | unknown | — | — | 3y ago | liufee CMS File Upload vulnerability | |||
| CVE-2020-20697 | unknown | — | — | 3y ago | NodCMS Cross Site Scripting vulnerability | |||
| CVE-2020-21246 | unknown | — | — | 3y ago | YiiCMS Cross Site Scripting vulnerability | |||
| CVE-2020-36732 | unknown | — | — | 3y ago | crypto-js uses insecure random numbers | |||
| CVE-2020-10676 | unknown | — | — | 3y ago | Rancher users retain access after moving namespaces into projects they don't have access to | |||
| CVE-2020-22755 | unknown | — | — | 3y ago | MCMS vulnerable to arbitrary code execution via crafted thumbnail | |||
| CVE-2020-36070 | unknown | — | — | 3y ago | Remote code execution in Voyager | |||
| CVE-2020-19278 | unknown | — | — | 3y ago | Phachon mm-wiki Cross Site Request Forgery vulnerability | |||
| CVE-2020-19277 | unknown | — | — | 3y ago | Phachon mm-wiki vulnerable to stored cross-site scripting (XSS) | |||
| CVE-2020-19697 | unknown | — | — | 3y ago | Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter | |||
| CVE-2020-20913 | unknown | — | — | 3y ago | Ming-Soft MCMS vulnerable to SQL injection | |||
| CVE-2020-19850 | unknown | — | — | 3y ago | Directus API vulnerable to denial of service | |||
| CVE-2020-19698 | unknown | — | — | 3y ago | Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter | |||
| CVE-2020-21514 | unknown | — | — | 3y ago | Fluent Fluentd and Fluent-ui use default password | |||
| CVE-2020-19825 | unknown | — | — | 3y ago | Cross-site Scripting in kimai/kimai | |||
| CVE-2020-36067 | unknown | — | — | 3y ago | GJSON <=v1.6.5 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a crafted GET call. | |||
| CVE-2020-8565 | unknown | — | — | 3y ago | In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl. Thi… | |||
| CVE-2020-8564 | unknown | — | — | 3y ago | In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secret… | |||
| CVE-2020-29529 | unknown | — | — | 3y ago | HashiCorp go-slug up to 0.4.3 did not fully protect against directory traversal while unpacking tar archives, and protections could be bypassed with specific constructions of multiple symlinks. Fixed… | |||
| CVE-2020-36660 | unknown | — | — | 3y ago | A vulnerability was found in paxswill EVE Ship Replacement Program 0.12.11. It has been rated as problematic. This issue affects some unknown processing of the file src/evesrp/views/api.py of the com… | |||
| CVE-2020-22452 | unknown | — | — | 3y ago | phpmyadmin contains SQL Injection vulnerability | |||
| CVE-2020-36655 | unknown | — | — | 3y ago | Command injection in yiisoft/yii2-gii | |||
| CVE-2020-36651 | unknown | — | — | 3y ago | Path Traversal in web-node-server | |||
| CVE-2020-36650 | unknown | — | — | 3y ago | gry vulnerable to Command Injection | |||
| CVE-2020-36645 | unknown | — | — | 4y ago | SQL injection in github.com/square/squalor | |||
| CVE-2020-36644 | unknown | — | — | 4y ago | Inline SVG vulnerable to Cross-site Scripting | |||
| CVE-2020-36640 | unknown | — | — | 4y ago | bonita-connector-webservice XML External Entity vulnerability | |||
| CVE-2020-36641 | unknown | — | — | 4y ago | aXMLRPC XML External Entity vulnerability | |||
| CVE-2020-36562 | unknown | — | — | 4y ago | Uncontrolled Resource Consumption in github.com/shiyanhui/dht | |||
| CVE-2020-36563 | unknown | — | — | 4y ago | Weak hash (SHA-1) in github.com/RobotsAndPencils/go-saml | |||
| CVE-2020-36564 | unknown | — | — | 4y ago | Improper input validation in github.com/justinas/nosurf | |||
| CVE-2020-36568 | unknown | — | — | 4y ago | Unsanitized input in the query parser in github.com/revel/revel before v1.0.0 allows remote attackers to cause resource exhaustion via memory allocation. | |||
| CVE-2020-36566 | unknown | — | — | 4y ago | Path traversal in github.com/whyrusleeping/tar-utils | |||
| CVE-2020-36569 | unknown | — | — | 4y ago | Authentication bypass in github.com/nanobox-io/golang-nanoauth | |||
| CVE-2020-36559 | unknown | — | — | 4y ago | Path Traversal in aahframe.work | |||
| CVE-2020-36561 | unknown | — | — | 4y ago | Path traversal in github.com/yi-ge/unzip | |||
| CVE-2020-36560 | unknown | — | — | 4y ago | Path traversal in github.com/artdarek/go-unzip | |||
| CVE-2020-36567 | unknown | — | — | 4y ago | Unsanitized input in the default logger in github.com/gin-gonic/gin before v1.6.0 allows remote attackers to inject arbitrary log lines. | |||
| CVE-2020-36632 | unknown | — | — | 4y ago | flat vulnerable to Prototype Pollution | |||
| CVE-2020-36629 | unknown | — | — | 4y ago | SimbCo httpster vulnerable to Path Traversal | |||
| CVE-2020-36627 | unknown | — | — | 4y ago | A vulnerability was found in Macaron i18n. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file i18n.go. The manipulation leads to open redirect… | |||
| CVE-2020-36625 | unknown | — | — | 4y ago | destiny.gg chat vulnerable to cross-site request forgery | |||
| CVE-2020-36624 | unknown | — | — | 4y ago | text_helpers uses web link to untrusted target with window.opener access | |||
| CVE-2020-36620 | unknown | — | — | 4y ago | EnumStringValues vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2020-36618 | unknown | — | — | 4y ago | FurqanSoftware/node-whois vulnerable to Prototype Pollution | |||
| CVE-2020-20589 | unknown | — | — | 4y ago | FeehiCMS vulnerable to Cross Site Scripting | |||
| CVE-2020-36607 | unknown | — | — | 4y ago | FeehiCMS Cross Site Scripting vulnerability | |||
| CVE-2020-24855 | unknown | — | — | 4y ago | easywebpack-cli Path Traversal vulnerability | |||
| CVE-2020-36565 | unknown | — | — | 4y ago | Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has p… | |||
| CVE-2020-36608 | unknown | — | — | 4y ago | Tribal Systems Zenario CMS vulnerable to Cross-site Scripting | |||
| CVE-2020-25614 | unknown | — | — | 4y ago | xmlquery before 1.3.1 lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service (SIGSEGV) at xmlquery.(*Node).InnerText or possibly have u… | |||
| CVE-2020-15115 | unknown | — | — | 4y ago | etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess … | |||
| CVE-2020-15106 | unknown | — | — | 4y ago | In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on … | |||
| CVE-2020-15112 | unknown | — | — | 4y ago | In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are b… | |||
| CVE-2020-36604 | unknown | — | — | 4y ago | hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisoning in the clone function. | |||
| CVE-2020-21516 | unknown | — | — | 4y ago | FeehiCMS has an arbitrary file upload vulnerability | |||
| CVE-2020-26938 | unknown | — | — | 4y ago | oauth2-server through 3.1.1 vulnerable to Open Redirect | |||
| CVE-2020-36599 | unknown | — | — | 4y ago | lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value. | |||
| CVE-2020-14320 | unknown | — | — | 4y ago | Moodle reflected XSS Vulnerability | |||
| CVE-2020-23622 | unknown | — | — | 4y ago | 4thline cling uPnP protocol issue can lead to denial of service | |||
| CVE-2020-1691 | unknown | — | — | 4y ago | Moodle XSS Vulnerability | |||
| CVE-2020-28433 | unknown | — | — | 4y ago | node-latex-pdf is susceptible to command injection | |||
| CVE-2020-28437 | unknown | — | — | 4y ago | heroku-env susceptible to command injection | |||
| CVE-2020-7795 | unknown | — | — | 4y ago | get-npm-package-version Command Injection vulnerability | |||
| CVE-2020-28453 | unknown | — | — | 4y ago | npos-tesseract Command Injection vulnerability | |||
| CVE-2020-28434 | unknown | — | — | 4y ago | gitblame susceptible to command injection | |||
| CVE-2020-28425 | unknown | — | — | 4y ago | curljs Command Injection vulnerability | |||
| CVE-2020-28451 | unknown | — | — | 4y ago | image-tiler susceptible to command injection | |||
| CVE-2020-28423 | unknown | — | — | 4y ago | monorepo-build Command Injection vulnerability | |||
| CVE-2020-28422 | unknown | — | — | 4y ago | git-archive vulnerable to Command Injection via exports function | |||
| CVE-2020-28436 | unknown | — | — | 4y ago | google-cloudstorage-commands Command Injection vulnerability | |||
| CVE-2020-28438 | unknown | — | — | 4y ago | deferred-exec Command Injection vulnerability | |||
| CVE-2020-28441 | unknown | — | — | 4y ago | conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2 | |||
| CVE-2020-28435 | unknown | — | — | 4y ago | ffmpeg-sdk vulnerable to OS Command Injection | |||
| CVE-2020-28443 | unknown | — | — | 4y ago | sonar-wrapper Command Injection vulnerability | |||
| CVE-2020-7649 | unknown | — | — | 4y ago | snyk-broker Path Traversal before v4.73.0 | |||
| CVE-2020-28461 | unknown | — | — | 4y ago | js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse` | |||
| CVE-2020-28446 | unknown | — | — | 4y ago | ntesseract vulnerable to Command Injection | |||
| CVE-2020-28447 | unknown | — | — | 4y ago | xopen is vulnerable to OS Command Injection in Exported Function xopen(filepath) | |||
| CVE-2020-28455 | unknown | — | — | 4y ago | markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped | |||
| CVE-2020-7678 | unknown | — | — | 4y ago | node-import `params` argument can be controlled by users without any sanitization | |||
| CVE-2020-28462 | unknown | — | — | 4y ago | ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse` | |||
| CVE-2020-28471 | unknown | — | — | 4y ago | Properties-Reader before v2.2.0 vulnerable to prototype pollution | |||
| CVE-2020-28459 | unknown | — | — | 4y ago | markdown-it-decorate vulnerable to cross-site scripting (XSS) | |||
| CVE-2020-7677 | unknown | — | — | 4y ago | thenify before 3.3.1 made use of unsafe calls to `eval`. | |||
| CVE-2020-7641 | unknown | — | — | 4y ago | grunt-util-property 0.0.2 function call can add/modify properties of Object.prototype using a __proto__ payload | |||
| CVE-2020-35305 | unknown | — | — | 4y ago | Gollum Cross-site Scripting vulnerability via filename parameter to New Page dialog | |||
| CVE-2020-28191 | unknown | — | — | 4y ago | Togglz console missing cross-site request forgery (CSRF) protection | |||
| CVE-2020-10650 | unknown | — | — | 4y ago | jackson-databind vulnerable to unsafe deserialization | |||
| CVE-2020-28865 | unknown | — | — | 4y ago | Insufficiently Protected Credentials in PowerJob | |||
| CVE-2020-36534 | unknown | — | — | 4y ago | Cross-Site Request Forgery in easyii CMS | |||
| CVE-2020-28246 | unknown | — | — | 4y ago | Server-Side Template Injection in formio | |||
| CVE-2020-35381 | unknown | — | — | 4y ago | jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a GET call. | |||
| CVE-2020-0813 | unknown | — | — | 4y ago | ChakraCore information disclosure vulnerability | |||
| CVE-2020-13948 | unknown | — | — | 4y ago | While investigating a bug report on Apache Superset, it was determined that an authenticated user could craft requests via a number of templated text fields in the product that would allow arbitrary … | |||
| CVE-2020-35129 | unknown | — | — | 4y ago | Mautic stored Cross-site Scripting (XSS) | |||
| CVE-2020-25816 | unknown | — | — | 4y ago | Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault | |||
| CVE-2020-28957 | unknown | — | — | 4y ago | Foxlor cross-site scripting (XSS) vulnerability | |||
| CVE-2020-19002 | unknown | — | — | 4y ago | Cross Site Scripting (XSS) in Mezzanine v4.3.1 allows remote attackers to execute arbitrary code via the 'Description' field of the component 'admin/blog/blogpost/add/'. This issue is different than … |