VIR Vulnerability Intelligence Relay

CVEs from 2020

3,797 normalized CVEs published or assigned in this year.

Total
3,797
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%

Top vendors

Top products

  • retail_xstore_point_of_service 33
  • banking_digital_experience 30
  • primavera_unifier 29
  • retail_service_backbone 15
  • financial_services_institutional_performance_analytics 13
  • insurance_policy_administration_j2ee 11
  • communications_network_charging_and_control 10
  • enterprise_manager_base_platform 10

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2020-18698 unknown 4y ago Improper Authentication in Lin-CMS-Flask v0.1.1 allows remote attackers to launch brute force login attempts without restriction via the 'login' function in the component 'app/api/cms/user.py'.
CVE-2020-18699 unknown 4y ago Cross Site Scripting (XSS) in Lin-CMS-Flask v0.1.1 allows remote attackers to execute arbitrary code by entering scripts in the the 'Username' parameter of the in component 'app/api/cms/user.py'.
CVE-2020-28088 unknown 4y ago Jeecg-Boot CMS arbitrary file upload vulnerability
CVE-2020-22330 unknown 4y ago Subrion Cross-Site Scripting (XSS) vulnerability
CVE-2020-22765 unknown 4y ago NukeViet Cross-site Scripting via the editor in the News module
CVE-2020-21808 unknown 4y ago NukeViet SQL Injection vulnerability via topicsid parameter
CVE-2020-21809 unknown 4y ago NukeViet SQL Injection vulnerability
CVE-2020-18151 unknown 4y ago ThinkCMF Cross Site Request Forgerly (CSRF) vulnerability
CVE-2020-36397 unknown 4y ago LavaLite Stored Cross-site Scripting vulnerability
CVE-2020-36395 unknown 4y ago Stored XSS in LavaLite 5.8.0
CVE-2020-36396 unknown 4y ago Stored XSS in LavaLite 5.8.0
CVE-2020-25817 unknown 4y ago SilverStripe XXE Vulnerability in CSSContentParser
CVE-2020-13662 unknown 4y ago Drupal Core Open Redirect vulnerability
CVE-2020-13665 unknown 4y ago Drupal Core Access bypass vulnerability
CVE-2020-28124 unknown 4y ago Cross Site Scripting (XSS) in LavaLite 5.8.0
CVE-2020-7924 unknown 4y ago MongoDB Tools Improper Certificate Validation vulnerability in github.com/mongodb/mongo-tools
CVE-2020-23761 unknown 4y ago subrion CMS Cross Site Scripting (XSS) vulnerability
CVE-2020-19626 unknown 4y ago Craft CMS Cross-site Scripting Vulnerability
CVE-2020-6578 unknown 4y ago Reflected XSS in Zen Cart before 1.5.7a
CVE-2020-29556 unknown 4y ago Grav CMS Local File Injection
CVE-2020-29553 unknown 4y ago Grav CMS Cross-Site Request Forgery (CSRF)
CVE-2020-29555 unknown 4y ago Grav CMS Arbitrary File Deletion
CVE-2020-24914 unknown 4y ago qcubed PHP object injection
CVE-2020-24912 unknown 4y ago qcubed reflected cross-site scripting (XSS) vulnerability
CVE-2020-24913 unknown 4y ago qcubed SQL injection vulnerability in profile.php via the strQuery parameter
CVE-2020-35296 unknown 4y ago ThinkAdmin Admin Panel Access using Default Credentials
CVE-2020-28243 unknown 4y ago An issue was discovered in SaltStack Salt before 3002.5. The minion's restartcheck is vulnerable to command injection via a crafted process name. This allows for a local privilege escalation by any u…
CVE-2020-35662 unknown 4y ago In SaltStack Salt before 3002.5, when authenticating to services using certain modules, the SSL certificate is not always validated.
CVE-2020-28972 unknown 4y ago In SaltStack Salt before 3002.5, authentication to VMware vcenter, vsphere, and esxi servers (in the vmware.py files) does not always validate the SSL/TLS certificate.
CVE-2020-35571 unknown 4y ago MantisBT XSS in manage_custom_field_update.php
CVE-2020-36245 unknown 4y ago GramAddict through 1.2.3 allows remote attackers to execute arbitrary code because of use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, e.g., by being on the same W…
CVE-2020-25340 unknown 4y ago An issue was discovered in NFStream 5.2.0. Because some allocated modules are not correctly freed, if the nfstream object is directly destroyed without being used after it is created, it will cause a…
CVE-2020-7021 unknown 4y ago Insertion of Sensitive Information into Log File in Elasticsearch
CVE-2020-29582 unknown 4y ago Incorrect Default Permissions in JetBrains Kotlin
CVE-2020-29605 unknown 4y ago MantisBT Incorrect Authorization in bug_actiongroup_page.php
CVE-2020-29603 unknown 4y ago MantisBT Insecure Storage in manage_proj_edit_page.php
CVE-2020-29604 unknown 4y ago MantisBT Missing Authorization access check in bug_actiongroup.php
CVE-2020-23355 unknown 4y ago Codiad Vulnerable to PHP Magic Hash Vulnerability
CVE-2020-35239 unknown 4y ago CakePHP allows method override parameters to bypass CSRF checks
CVE-2020-21146 unknown 4y ago Feehi CMS vulnerable to Cross-site Scripting in Username Field
CVE-2020-22643 unknown 4y ago Feehi CMS arbitrary file upload vulnerability
CVE-2020-8567 unknown 4y ago Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure
CVE-2020-27851 unknown 4y ago Gravity Forms stored HTML injection vulnerability
CVE-2020-27850 unknown 4y ago Gravity Forms stored Cross-Site Scripting (XSS) vulnerability
CVE-2020-27852 unknown 4y ago Gravity Forms stored Cross-Site Scripting (XSS) vulnerability in the survey feature
CVE-2020-35128 unknown 4y ago Mautic stored Cross-site Scripting (XSS)
CVE-2020-36191 unknown 4y ago JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
CVE-2020-23653 unknown 4y ago ThinkAdmin insecure unserialize vulnerability
CVE-2020-35459 unknown 4y ago ClusterLabs crmsh vulnerable to shell code injection
CVE-2020-26768 unknown 4y ago Formstone Vulnerable to Reflected XSS
CVE-2020-25476 unknown 4y ago Liferay Portal Vulnerable to Cross-Site Scripting (XSS) via User Name Parameter
CVE-2020-5809 unknown 4y ago Umbraco CMS vulnerable to stored XSS
CVE-2020-35849 unknown 4y ago MantisBT Incorrect Authorization for bug_revision_view_page.php check
CVE-2020-29244 unknown 4y ago Panic due to out-of-bounds read in github.com/dhowden/tag
CVE-2020-29245 unknown 4y ago Panic due to out-of-bounds read in github.com/dhowden/tag
CVE-2020-29242 unknown 4y ago Panic due to out-of-bounds read in github.com/dhowden/tag
CVE-2020-29243 unknown 4y ago Panic due to out-of-bounds read in github.com/dhowden/tag
CVE-2020-29156 unknown 4y ago WooCommerce Incorrect Authorization
CVE-2020-28277 unknown 4y ago dset vulnerable to prototype pollution
CVE-2020-28279 unknown 4y ago flattenizer vulnerable to prototype pollution
CVE-2020-28276 unknown 4y ago Prototype pollution vulnerability in 'deep-set'
CVE-2020-28278 unknown 4y ago shvl vulnerable to prototype pollution
CVE-2020-35136 unknown 4y ago Dolibarr authenticated Remote Code Execution
CVE-2020-20136 unknown 4y ago QuantConnect Lean vulnerable to insecure deserialization
CVE-2020-7790 unknown 4y ago browsershot local file inclusion vulnerability
CVE-2020-28838 unknown 4y ago OpenCart Cross-Site Request Forgery (CSRF)
CVE-2020-8920 unknown 4y ago Information leak in Gerrit
CVE-2020-16971 unknown 4y ago Azure SDK for Java Security Feature Bypass Vulnerability
CVE-2020-27822 unknown 4y ago Wildfly has a memory leak vulnerability
CVE-2020-25627 unknown 4y ago Moodle stored Cross-site Scripting (XSS)
CVE-2020-25631 unknown 4y ago Moodle Cross-site Scripting (XSS)
CVE-2020-25630 unknown 4y ago Moodle Denial of Service
CVE-2020-25629 unknown 4y ago Moodle incorrect access control
CVE-2020-29565 unknown 4y ago An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would all…
CVE-2020-27348 unknown 4y ago In some conditions, a snap package built by snapcraft includes the current directory in LD_LIBRARY_PATH, allowing a malicious snap to gain code execution within the context of another snap if both pl…
CVE-2020-25449 unknown 4y ago Cross Site Scripting (XSS) vulnerability in Arachnys Cabot 0.11.12 can be exploited via the Address column.
CVE-2020-5680 unknown 4y ago EC-CUBE Improper input validation vulnerability
CVE-2020-5679 unknown 4y ago EC-CUBE Improper Restriction of Rendered UI Layers or Frames
CVE-2020-28272 unknown 4y ago keyget vulnerable to prototype pollution
CVE-2020-2323 unknown 4y ago Missing permission checks in Jenkins Chaos Monkey Plugin
CVE-2020-2320 unknown 4y ago Jenkins Plugin Installation Manager Tool did not verify plugin downloads
CVE-2020-2324 unknown 4y ago XXE vulnerability in Jenkins CVS Plugin
CVE-2020-2322 unknown 4y ago Missing permission checks in Jenkins Chaos Monkey Plugin
CVE-2020-2321 unknown 4y ago CSRF vulnerability in Jenkins Shelve Project Plugin
CVE-2020-29367 unknown 4y ago blosc2 heap-based buffer overflow
CVE-2020-10763 unknown 4y ago Heketi logs sensitive information
CVE-2020-28975 unknown 4y ago ** DISPUTED ** svm_predict_values in svm.cpp in Libsvm v324, as used in scikit-learn 0.23.2 and other products, allows attackers to cause a denial of service (segmentation fault) via a crafted model …
CVE-2020-23489 unknown 4y ago AVideo vulnerable to Improper Privilege Management
CVE-2020-28364 unknown 4y ago A stored cross-site scripting (XSS) vulnerability affects the Web UI in Locust before 1.3.2, if the installation violates the usage expectations by exposing this UI to outside users.
CVE-2020-28267 unknown 4y ago Prototype pollution in @strikeentco/set
CVE-2020-24406 unknown 4y ago Magento information disclosure vulnerability
CVE-2020-24405 unknown 4y ago Magento incorrect permissions vulnerability in the Inventory module
CVE-2020-24407 unknown 4y ago Magento 2 Community Edition RCE via Unsafe File Upload
CVE-2020-24403 unknown 4y ago Magento incorrect user permissions vulnerability within the Inventory component
CVE-2020-24400 unknown 4y ago Magento SQL Injection vulnerability
CVE-2020-24404 unknown 4y ago Magento 2 Community Edition vulnerable to Improper Authorization
CVE-2020-24402 unknown 4y ago Magento incorrect permissions vulnerability in the Integrations component
CVE-2020-24401 unknown 4y ago Magento 2 Community Edition Incorrect Authorization
CVE-2020-23136 unknown 4y ago Microweber Insufficient Session Expiry
CVE-2020-17490 unknown 4y ago The TLS module within SaltStack Salt through 3002 creates certificates with weak file permissions.