CVEs from 2020
Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-3758 | unknown | — | — | 4y ago | Magento stored cross-site scripting vulnerability | |||
| CVE-2020-3715 | unknown | — | — | 4y ago | Magento stored cross-site scripting vulnerability | |||
| CVE-2020-2105 | unknown | — | — | 4y ago | Jenkins REST APIs vulnerable to clickjacking | |||
| CVE-2020-2108 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins WebSphere Deployer Plugin | |||
| CVE-2020-2107 | unknown | — | — | 4y ago | Fortify Plugin stored credentials in plain text | |||
| CVE-2020-2106 | unknown | — | — | 4y ago | Stored XSS vulnerability in Code Coverage API Plugin | |||
| CVE-2020-2099 | unknown | — | — | 4y ago | Inbound TCP Agent Protocol/3 authentication bypass in Jenkins | |||
| CVE-2020-2101 | unknown | — | — | 4y ago | Non-constant time comparison of inbound TCP agent connection secret | |||
| CVE-2020-2100 | unknown | — | — | 4y ago | Jenkins vulnerable to UDP amplification reflection attack | |||
| CVE-2020-2103 | unknown | — | — | 4y ago | Jenkins Diagnostic page exposed session cookies | |||
| CVE-2020-2102 | unknown | — | — | 4y ago | Non-constant time HMAC comparison | |||
| CVE-2020-2104 | unknown | — | — | 4y ago | Memory usage graphs accessible to anyone with Overall/Read | |||
| CVE-2020-7995 | unknown | — | — | 4y ago | Dolibarr Improper Restriction of Excessive Authentication Attempts | |||
| CVE-2020-8091 | unknown | — | — | 4y ago | Typo3 Cross-Site Scripting in Flash component (ELTS) | |||
| CVE-2020-7994 | unknown | — | — | 4y ago | Dolibarr cross-site scripting (XSS) vulnerability | |||
| CVE-2020-7596 | unknown | — | — | 4y ago | Improper Neutralization of Special Elements in Output Used by a Downstream Component in Codecov | |||
| CVE-2020-7941 | unknown | — | — | 4y ago | A privilege escalation issue in plone.app.contenttypes in Plone 4.3 through 5.2.1 allows users to PUT (overwrite) some content without needing write permission. | |||
| CVE-2020-7936 | unknown | — | — | 4y ago | An open redirect on the login form (and possibly other places) in Plone 4.0 through 5.2.1 allows an attacker to craft a link to a Plone Site that, when followed, and possibly after login, will redire… | |||
| CVE-2020-7937 | unknown | — | — | 4y ago | An XSS issue in the title field in Plone 5.0 through 5.2.1 allows users with a certain privilege level to insert JavaScript that will be executed when other users access the site. | |||
| CVE-2020-7940 | unknown | — | — | 4y ago | Missing password strength checks on some forms in Plone 4.3 through 5.2.0 allow users to set weak passwords, leading to easier cracking. | |||
| CVE-2020-7938 | unknown | — | — | 4y ago | plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain privilege level to escalate their privileges up to the highest level. | |||
| CVE-2020-7939 | unknown | — | — | 4y ago | SQL Injection in DTML or in connection objects in Plone 4.0 through 5.2.1 allows users to perform unwanted SQL queries. (This is a problem in Zope.) | |||
| CVE-2020-7210 | unknown | — | — | 4y ago | Umbraco CMS vulnerable to CSRF | |||
| CVE-2020-6638 | unknown | — | — | 4y ago | Grin Insufficient Validation | |||
| CVE-2020-5501 | unknown | — | — | 4y ago | phpBB Cross-Site Request Forgery (CSRF) | |||
| CVE-2020-5502 | unknown | — | — | 4y ago | phpBB allows CSRF | |||
| CVE-2020-2095 | unknown | — | — | 4y ago | Redgate SQL Change Automation Plugin stored credentials in plain text | |||
| CVE-2020-2094 | unknown | — | — | 4y ago | Missing permission checks in Health Advisor by CloudBees Plugin | |||
| CVE-2020-2098 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Sounds Plugin allow OS command execution | |||
| CVE-2020-2097 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Sounds Plugin allow OS command execution | |||
| CVE-2020-2092 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Robot Framework Plugin | |||
| CVE-2020-2093 | unknown | — | — | 4y ago | CSRF vulnerability in Health Advisor by CloudBees Plugin | |||
| CVE-2020-2090 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Amazon EC2 Plugin | |||
| CVE-2020-2091 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Amazon EC2 Plugin | |||
| CVE-2020-0606 | unknown | — | — | 4y ago | Remote code execution in Microsoft.WindowsDesktop.App.Ref | |||
| CVE-2020-6948 | unknown | — | — | 4y ago | HashBrown CMS RCE | |||
| CVE-2020-5840 | unknown | — | — | 4y ago | HashBrown CMS Directory Traversal | |||
| CVE-2020-27193 | unknown | — | — | 4y ago | Improper Neutralization of Input During Web Page Generation in CKEditor4 | |||
| CVE-2020-7385 | unknown | — | — | 4y ago | Metasploit Framework user exposes Metasploit to same deserialization issue that is exploited by that module | |||
| CVE-2020-13353 | unknown | — | — | 4y ago | Gitaly Insufficient Session Expiration vulnerability | |||
| CVE-2020-29653 | unknown | — | — | 4y ago | HTML Injection in Froxlor | |||
| CVE-2020-5205 | unknown | — | — | 4y ago | Session fixation | |||
| CVE-2020-15150 | unknown | — | — | 4y ago | Remote Code Execution in paginator | |||
| CVE-2020-1469 | unknown | — | — | 4y ago | Infinite loop in .Net Bond | |||
| CVE-2020-28847 | unknown | — | — | 4y ago | Cross site scripting in valine | |||
| CVE-2020-13756 | unknown | — | — | 4y ago | Sabberworm PHP CSS Parser Code injection vulnerability in allSelectors() | |||
| CVE-2020-26138 | unknown | — | — | 4y ago | FormField with square brackets in field name skips validation | |||
| CVE-2020-14326 | unknown | — | — | 4y ago | RESTEasy 4.5.5.Final in hash flooding | |||
| CVE-2020-35510 | unknown | — | — | 4y ago | Uncontrolled Resource Consumption in jboss-remoting | |||
| CVE-2020-1729 | unknown | — | — | 4y ago | Permissions bypass in SmallRye | |||
| CVE-2020-18325 | unknown | — | — | 4y ago | Cross-site Scripting in intelliants/subrion | |||
| CVE-2020-18326 | unknown | — | — | 4y ago | Cross Site Request Forgery in intelliants/subrion | |||
| CVE-2020-18324 | unknown | — | — | 4y ago | Cross-site Scripting in Subrion CMS | |||
| CVE-2020-14039 | unknown | — | — | 4y ago | In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Window… | |||
| CVE-2020-28466 | unknown | — | — | 4y ago | This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer fro… | |||
| CVE-2020-16844 | unknown | — | — | 4y ago | Authorization bypass in Istio | |||
| CVE-2020-2023 | unknown | — | — | 4y ago | Improper Privilege Management and Execution with Unnecessary Privileges in Kata Containers | |||
| CVE-2020-2026 | unknown | — | — | 4y ago | Link Following in Kata Runtime | |||
| CVE-2020-8555 | unknown | — | — | 4y ago | The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows cert… | |||
| CVE-2020-8552 | unknown | — | — | 4y ago | The Kubernetes API server component in versions prior to 1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via successful API requests. | |||
| CVE-2020-8558 | unknown | — | — | 4y ago | The Kubelet and kube-proxy components in versions 1.1.0-1.16.10, 1.17.0-1.17.6, and 1.18.0-1.18.3 were found to contain a security issue which allows adjacent hosts to reach TCP and UDP services boun… | |||
| CVE-2020-28348 | unknown | — | — | 4y ago | Path Traversal in HashiCorp Nomad in github.com/hashicorp/nomad | |||
| CVE-2020-12758 | unknown | — | — | 4y ago | Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul | |||
| CVE-2020-13401 | unknown | — | — | 4y ago | An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts… | |||
| CVE-2020-27195 | unknown | — | — | 4y ago | Use After Free in HashiCorp Nomad in github.com/hashicorp/nomad | |||
| CVE-2020-24359 | unknown | — | — | 4y ago | Improper Input Validation in vault-ssh-helper in github.com/hashicorp/vault-ssh-helper | |||
| CVE-2020-8568 | unknown | — | — | 4y ago | Directory traversal in sigs.k8s.io/secrets-store-csi-driver | |||
| CVE-2020-7010 | unknown | — | — | 4y ago | Cryptographic Issues in ECK | |||
| CVE-2020-8551 | unknown | — | — | 4y ago | The Kubelet component in versions 1.15.0-1.15.9, 1.16.0-1.16.6, and 1.17.0-1.17.2 has been found to be vulnerable to a denial of service attack via the kubelet API, including the unauthenticated HTTP… | |||
| CVE-2020-13597 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor and Insertion of Sensitive Information Into Sent Data in Calico | |||
| CVE-2020-8569 | unknown | — | — | 4y ago | NULL Pointer Dereference in Kubernetes CSI snapshot-controller | |||
| CVE-2020-10714 | unknown | — | — | 4y ago | Session Fixation in WildFly Elytron | |||
| CVE-2020-1748 | unknown | — | — | 4y ago | Incorrect Authorization in WildFly Elytron | |||
| CVE-2020-25640 | unknown | — | — | 4y ago | Wildfly logs plaintext passwords | |||
| CVE-2020-14338 | unknown | — | — | 4y ago | Improper Input Validation in Xerces | |||
| CVE-2020-13246 | unknown | — | — | 4y ago | Denial of Service in Gitea in code.gitea.io/gitea | |||
| CVE-2020-26294 | unknown | — | — | 4y ago | Exposure of server configuration in github.com/go-vela/server in github.com/go-vela/compiler | |||
| CVE-2020-26277 | unknown | — | — | 4y ago | Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer in github.com/datacharmer/dbdeployer | |||
| CVE-2020-29662 | unknown | — | — | 4y ago | "catalog's registry v2 api exposed on unauthenticated path in Harbor" in github.com/goharbor/harbor | |||
| CVE-2020-13668 | unknown | — | — | 4y ago | Cross-site Scripting in Drupal Core | |||
| CVE-2020-26276 | unknown | — | — | 4y ago | SAML authentication vulnerability due to stdlib XML parsing | |||
| CVE-2020-26521 | unknown | — | — | 4y ago | The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). | |||
| CVE-2020-15157 | unknown | — | — | 4y ago | In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Sche… | |||
| CVE-2020-8911 | unknown | — | — | 4y ago | CBC padding oracle issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go | |||
| CVE-2020-8912 | unknown | — | — | 4y ago | In-band key negotiation issue in AWS S3 Crypto SDK for golang in github.com/aws/aws-sdk-go | |||
| CVE-2020-15129 | unknown | — | — | 4y ago | Traefik vulnerable to Open Redirect via handling of X-Forwarded-Prefix header | |||
| CVE-2020-8918 | unknown | — | — | 4y ago | Sensitive information exposure in github.com/google/go-tpm | |||
| CVE-2020-13788 | unknown | — | — | 4y ago | Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) in github.com/goharbor/harbor | |||
| CVE-2020-7629 | unknown | — | — | 4y ago | OS Command Injection in install-package | |||
| CVE-2020-7630 | unknown | — | — | 4y ago | OS Command Injection in git-add-remote | |||
| CVE-2020-7627 | unknown | — | — | 4y ago | OS Command Injection in node-key-sender | |||
| CVE-2020-7625 | unknown | — | — | 4y ago | Injection in op-browser | |||
| CVE-2020-7626 | unknown | — | — | 4y ago | karma-mojo enables OS Command Injection | |||
| CVE-2020-7623 | unknown | — | — | 4y ago | OS Command Injection in jscover | |||
| CVE-2020-7621 | unknown | — | — | 4y ago | OS Command Injection in strong-nginx-controller | |||
| CVE-2020-11969 | unknown | — | — | 4y ago | Missing Authentication for Critical Function in Apache TomEE | |||
| CVE-2020-9296 | unknown | — | — | 4y ago | Expression Language Injection in Netflix Conductor | |||
| CVE-2020-9495 | unknown | — | — | 4y ago | Injection in Apache Archiva | |||
| CVE-2020-9480 | unknown | — | — | 4y ago | Improper Authentication in Apache Spark | |||
| CVE-2020-11980 | unknown | — | — | 4y ago | Server-Side Request Forgery in Karaf |