CVEs from 2020
Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13973 | unknown | — | — | 4y ago | Cross-site scripting in json-sanitizer | |||
| CVE-2020-15813 | unknown | — | — | 4y ago | Improper Certificate Validation in Graylog | |||
| CVE-2020-1948 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache Dubbo | |||
| CVE-2020-1954 | unknown | — | — | 4y ago | Apache CXF JMX Integration is vulnerable to a MITM attack | |||
| CVE-2020-23263 | unknown | — | — | 4y ago | Cross-site scripting in forkcms | |||
| CVE-2020-14961 | unknown | — | — | 4y ago | Unrestricted Uploads in Concrete5 | |||
| CVE-2020-15400 | unknown | — | — | 4y ago | Cross-Site Request Forgery in CakePHP | |||
| CVE-2020-15721 | unknown | — | — | 4y ago | Cross-site Scripting in RosarioSIS | |||
| CVE-2020-24164 | unknown | — | — | 4y ago | Gadget chain attack in Nippy | |||
| CVE-2020-13928 | unknown | — | — | 4y ago | Cross-site scripting in Apache Atlas | |||
| CVE-2020-10591 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Concord | |||
| CVE-2020-15839 | unknown | — | — | 4y ago | Unrestricted Upload of File with Dangerous Type in Liferay Portal and Liferay DXP | |||
| CVE-2020-1947 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache ShardingSphere | |||
| CVE-2020-13953 | unknown | — | — | 4y ago | Improper file downloads in Apache Tapestry | |||
| CVE-2020-7737 | unknown | — | — | 4y ago | Prototype Pollution in safetydance | |||
| CVE-2020-2287 | unknown | — | — | 4y ago | Request logging bypass in Jenkins Audit Trail Plugin | |||
| CVE-2020-13937 | unknown | — | — | 4y ago | Authentication bypass in Apache Kylin | |||
| CVE-2020-5403 | unknown | — | — | 4y ago | Improper Handling of Exceptional Conditions and Improper Input Validation in Reactor Netty | |||
| CVE-2020-5404 | unknown | — | — | 4y ago | Insufficiently Protected Credentials in Reactor Netty | |||
| CVE-2020-26882 | unknown | — | — | 4y ago | Data Amplification in Play Framework | |||
| CVE-2020-27196 | unknown | — | — | 4y ago | Out-of-bounds Write in Play Framework | |||
| CVE-2020-26883 | unknown | — | — | 4y ago | Uncontrolled Recursion in Play Framework | |||
| CVE-2020-27217 | unknown | — | — | 4y ago | Improper Validation of Specified Quantity in Input in Eclipse Hono | |||
| CVE-2020-7751 | unknown | — | — | 4y ago | pathval before version 1.1.1 is vulnerable to prototype pollution. | |||
| CVE-2020-7773 | unknown | — | — | 4y ago | Cross-site Scripting in markdown-it-highlightjs | |||
| CVE-2020-7777 | unknown | — | — | 4y ago | Code Injection in jsen | |||
| CVE-2020-13941 | unknown | — | — | 4y ago | Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), released in Solr version 8.6.0. The Replication handler (https://lucene.apache.org/solr/guide/8_6/index-replication.html#http-api-co… | |||
| CVE-2020-13957 | unknown | — | — | 4y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2020-13942 | unknown | — | — | 4y ago | Injection and Improper Input Validation in Apache Unomi | |||
| CVE-2020-11975 | unknown | — | — | 4y ago | Improper Input Validation in Apache Unomi | |||
| CVE-2020-7779 | unknown | — | — | 4y ago | Regular Expression Denial of Service in djvalidator | |||
| CVE-2020-7778 | unknown | — | — | 4y ago | This affects the package systeminformation before 4.30.2. The attacker can overwrite the properties and functions of an object, which can lead to executing OS commands. | |||
| CVE-2020-25802 | unknown | — | — | 4y ago | Improper Control of Dynamically-Managed Code Resources in Crafter CMS Crafter Studio | |||
| CVE-2020-25803 | unknown | — | — | 4y ago | Improper Control of Dynamically-Managed Code Resources in Crafter CMS Crafter Studio | |||
| CVE-2020-7780 | unknown | — | — | 4y ago | Cross-Site Request Forgery | |||
| CVE-2020-13943 | unknown | — | — | 4y ago | If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation o… | |||
| CVE-2020-8022 | unknown | — | — | 4y ago | Incorrect Default Permissions in Apache Tomcat | |||
| CVE-2020-25638 | unknown | — | — | 4y ago | SQL injection in hibernate-core | |||
| CVE-2020-25711 | unknown | — | — | 4y ago | Improper Access Control in infinispan-server-runtime | |||
| CVE-2020-28923 | unknown | — | — | 4y ago | Data Amplification in Play Framework | |||
| CVE-2020-17531 | unknown | — | — | 4y ago | Serialization vulnerability in Apache Tapestry | |||
| CVE-2020-7792 | unknown | — | — | 4y ago | Prototype Pollution in mout | |||
| CVE-2020-7793 | unknown | — | — | 4y ago | The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info). | |||
| CVE-2020-28442 | unknown | — | — | 4y ago | Prototype Pollution in js-data | |||
| CVE-2020-11974 | unknown | — | — | 4y ago | Remote code execution in DolphinScheduler | |||
| CVE-2020-13931 | unknown | — | — | 4y ago | Remote code execution in Apache TomEE | |||
| CVE-2020-8131 | unknown | — | — | 4y ago | Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows attackers to write to any path on the filesystem and potentially lead to arbitrary code execution by forcing the user to install … | |||
| CVE-2020-17533 | unknown | — | — | 4y ago | Improper privilege handling in Apache Accumulo | |||
| CVE-2020-35774 | unknown | — | — | 4y ago | TwitterServer Cross-site Scripting via /histograms endpoint | |||
| CVE-2020-13654 | unknown | — | — | 4y ago | Improper escaping in XWiki Platform | |||
| CVE-2020-17518 | unknown | — | — | 4y ago | Upload of file to arbitrary path in Apache Flink | |||
| CVE-2020-36048 | unknown | — | — | 4y ago | Resource exhaustion in engine.io | |||
| CVE-2020-11995 | unknown | — | — | 4y ago | Deserialization exploitation in Apache Dubbo | |||
| CVE-2020-17534 | unknown | — | — | 4y ago | Improper synchronization in Apache Netbeans HTML/Java API | |||
| CVE-2020-24025 | unknown | — | — | 4y ago | Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path. | |||
| CVE-2020-27219 | unknown | — | — | 4y ago | Cross-site Scripting in Eclipse Hawkbit | |||
| CVE-2020-17532 | unknown | — | — | 4y ago | Arbitrary code execution in Apache ServiceComb java-chassis | |||
| CVE-2020-23262 | unknown | — | — | 4y ago | SQL injection without credentials in ming-soft MCMS | |||
| CVE-2020-9492 | unknown | — | — | 4y ago | Improper Privilege Management in Apache Hadoop | |||
| CVE-2020-5428 | unknown | — | — | 4y ago | SQL Injection in Spring Cloud Task | |||
| CVE-2020-13920 | unknown | — | — | 4y ago | Improper Authentication in Apache ActiveMQ | |||
| CVE-2020-11998 | unknown | — | — | 4y ago | Remote code execution in Apache ActiveMQ | |||
| CVE-2020-13932 | unknown | — | — | 4y ago | Cross-site Scripting (XSS) in Apache ActiveMQ Artemis | |||
| CVE-2020-1958 | unknown | — | — | 4y ago | Credentials bypass in Apache Druid | |||
| CVE-2020-17523 | unknown | — | — | 4y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-13947 | unknown | — | — | 4y ago | Cross-site scripting (XSS) in Apache ActiveMQ | |||
| CVE-2020-14330 | unknown | — | — | 4y ago | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the … | |||
| CVE-2020-1738 | unknown | — | — | 4y ago | A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be se… | |||
| CVE-2020-1736 | unknown | — | — | 4y ago | A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does n… | |||
| CVE-2020-10744 | unknown | — | — | 4y ago | An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the… | |||
| CVE-2020-14332 | unknown | — | — | 4y ago | A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unau… | |||
| CVE-2020-17516 | unknown | — | — | 4y ago | Authentication Bypass in Apache Cassandra | |||
| CVE-2020-1718 | unknown | — | — | 4y ago | Improper Authentication for Keycloak | |||
| CVE-2020-10776 | unknown | — | — | 4y ago | Cross-site Scripting in keycloak | |||
| CVE-2020-1694 | unknown | — | — | 4y ago | Incorrect Permission Assignment for Critical Resource and Permissive List of Allowed Inputs in Keycloak | |||
| CVE-2020-10758 | unknown | — | — | 4y ago | Allocation of Resources Without Limits or Throttling in Keycloak | |||
| CVE-2020-10748 | unknown | — | — | 4y ago | Cross-site Scripting in Keycloak | |||
| CVE-2020-1758 | unknown | — | — | 4y ago | Improper Certificate Validation and Improper Validation of Certificate with Host Mismatch in Keycloak | |||
| CVE-2020-27782 | unknown | — | — | 4y ago | Denial of service in Undertow | |||
| CVE-2020-1926 | unknown | — | — | 4y ago | Apache Hive Information Exposure and Observable Timing Discrepancy | |||
| CVE-2020-12668 | unknown | — | — | 4y ago | Unauthorized access to Class instance in Jinjava | |||
| CVE-2020-9482 | unknown | — | — | 4y ago | Insufficient Session Expiration in Apache NiFi Registry | |||
| CVE-2020-1734 | unknown | — | — | 4y ago | A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variabl… | |||
| CVE-2020-27428 | unknown | — | — | 5y ago | Cross-site Scripting in Scratch-Svg-Renderer | |||
| CVE-2020-7631 | unknown | — | — | 5y ago | OS Command Injection in diskusage-ng | |||
| CVE-2020-11529 | unknown | — | — | 5y ago | Open Redirect in Grav | |||
| CVE-2020-7632 | unknown | — | — | 5y ago | OS Command Injection in node-mpv | |||
| CVE-2020-19316 | unknown | — | — | 5y ago | OS Command Injection in Laravel Framework | |||
| CVE-2020-9491 | unknown | — | — | 5y ago | Inadequate Encryption Strength in Apache NiFi | |||
| CVE-2020-9487 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Apache NiFi | |||
| CVE-2020-9486 | unknown | — | — | 5y ago | Insertion of Sensitive Information into Log File in Apache NiFi Stateless | |||
| CVE-2020-13940 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in Apache NiFi | |||
| CVE-2020-1942 | unknown | — | — | 5y ago | Insertion of Sensitive Information into Log File in Apache NiFi | |||
| CVE-2020-1928 | unknown | — | — | 5y ago | Apache NiFi Insertion of Sensitive Information into Log File | |||
| CVE-2020-1933 | unknown | — | — | 5y ago | Cross-site scripting in Apache NiFi | |||
| CVE-2020-1936 | unknown | — | — | 5y ago | Cross-site Scripting (XSS) in Apache Ambari Views | |||
| CVE-2020-28503 | unknown | — | — | 5y ago | Prototype Pollution in copy-props | |||
| CVE-2020-13936 | unknown | — | — | 5y ago | Sandbox Bypass in Apache Velocity Engine | |||
| CVE-2020-8124 | unknown | — | — | 5y ago | Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks. | |||
| CVE-2020-28452 | unknown | — | — | 5y ago | Cross-Site Request Forgery in com.softwaremill.akka-http-session:core_2.12 |