VIR Vulnerability Intelligence Relay

CVEs from 2020

3,795 normalized CVEs published or assigned in this year.

Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%

Top vendors

Top products

  • retail_xstore_point_of_service 33
  • banking_digital_experience 30
  • primavera_unifier 29
  • retail_service_backbone 15
  • financial_services_institutional_performance_analytics 13
  • insurance_policy_administration_j2ee 11
  • communications_network_charging_and_control 10
  • enterprise_manager_base_platform 10

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2020-1952 unknown 5y ago Improper Certificate Validation in Apache IoTDB
CVE-2020-11887 unknown 5y ago XSS in svg2png (NPM package)
CVE-2020-1964 unknown 5y ago Deserialization of Untrusted Data in Apache Heron
CVE-2020-1026 unknown 5y ago Incorrect Calculation in the MSR JavaScript Cryptography Library
CVE-2020-1692 unknown 5y ago Cross-Site Request Forgery in Moodle
CVE-2020-28500 unknown 5y ago Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
CVE-2020-25039 unknown 5y ago Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity
CVE-2020-13846 unknown 5y ago "Verify All" Returns Success Despite Validation Failures in Singularity
CVE-2020-13845 unknown 5y ago Execution Control List (ECL) Is Insecure in Singularity
CVE-2020-15091 unknown 5y ago Denial of service in github.com/tendermint/tendermint
CVE-2020-12283 unknown 5y ago Open redirect vulnerability in Sourcegraph
CVE-2020-5233 unknown 5y ago The pattern '/\domain.com' is not disallowed when redirecting, allowing for open redirect
CVE-2020-11053 unknown 5y ago Open Redirect in OAuth2 Proxy
CVE-2020-4037 unknown 5y ago Open Redirect in OAuth2 Proxy
CVE-2020-5415 unknown 5y ago GitLab auth uses full name instead of username as user ID, allowing impersonation
CVE-2020-26290 unknown 5y ago Critical security issues in XML encoding in github.com/dexidp/dex
CVE-2020-27847 unknown 5y ago Authentication Bypass in dex
CVE-2020-36846 unknown 5y ago A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happ…
CVE-2020-35215 unknown 5y ago Malicious Atomix node queries expose sensitive information
CVE-2020-35209 unknown 5y ago An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.
CVE-2020-35214 unknown 5y ago An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.
CVE-2020-35210 unknown 5y ago A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.
CVE-2020-35216 unknown 5y ago An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.
CVE-2020-35213 unknown 5y ago An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.
CVE-2020-35211 unknown 5y ago An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node.
CVE-2020-7642 unknown 5y ago Cross-site scripting in lazysizes
CVE-2020-7643 unknown 5y ago Prototype pollution in paypal-adaptive
CVE-2020-7609 unknown 5y ago Code Injection in node-rules
CVE-2020-7644 unknown 5y ago Uncontrolled Resource Consumption in fun-map
CVE-2020-7640 unknown 5y ago OS Command Injection in pixl-class
CVE-2020-24939 unknown 5y ago Prototype pollution in supermixer
CVE-2020-28248 unknown 5y ago Integer Overflow in png-img
CVE-2020-28269 unknown 5y ago Prototype Pollution in field
CVE-2020-8123 unknown 5y ago Uncontrolled Resource Consumption in strapi
CVE-2020-1940 unknown 5y ago Improper Removal of Sensitive Information Before Storage or Transfer in Apache Jackrabbit Oak
CVE-2020-36282 unknown 5y ago Unsafe Deserialization that can Result in Code Execution
CVE-2020-11576 unknown 5y ago Observable Discrepancy in Argo in github.com/argoproj/argo-cd
CVE-2020-7616 unknown 5y ago Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware
CVE-2020-7615 unknown 5y ago OS Command Injection in fsa
CVE-2020-7636 unknown 5y ago OS Command Injection in adb-driver
CVE-2020-7634 unknown 5y ago OS Command Injection in heroku-addonpool
CVE-2020-11611 unknown 5y ago Open Redirect in xdLocalStorage
CVE-2020-7635 unknown 5y ago Command Injection in compass-compile
CVE-2020-28491 unknown 5y ago Denial of Service (DoS) in Jackson Dataformat CBOR
CVE-2020-36189 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSo…
CVE-2020-36187 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CVE-2020-36188 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
CVE-2020-36184 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-36180 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36181 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36185 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-36179 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36182 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-24750 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-35491 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-35490 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-24616 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2020-21176 unknown 5y ago SQL Injection in thinkjs
CVE-2020-29457 unknown 5y ago Improper Certificate Validation in OPCFoundation.NetStandard.Opc.Ua.Core
CVE-2020-36186 unknown 5y ago FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVE-2020-28472 unknown 5y ago Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
CVE-2020-14389 unknown 5y ago Improper privilege management in Keycloak
CVE-2020-10378 unknown 5y ago In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
CVE-2020-5310 unknown 5y ago libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.
CVE-2020-11476 unknown 5y ago Unrestricted Uploads in Concrete5
CVE-2020-36378 unknown 5y ago Vulnerability in packageCmd function leads to arbitrary code execution via filePath parameters
CVE-2020-36379 unknown 5y ago Vulnerability in remove function leads to arbitrary code execution via filePath parameters
CVE-2020-36377 unknown 5y ago Vulnerability in dump function leads to arbitrary code execution via filePath parameters
CVE-2020-36376 unknown 5y ago Vulnerability in list function leads to arbitrary code execution via filePath parameters
CVE-2020-26705 unknown 5y ago The parseXML function in Easy-XML 0.5.0 was discovered to have a XML External Entity (XXE) vulnerability which allows for an attacker to expose sensitive data or perform a denial of service (DOS) via…
CVE-2020-25911 unknown 5y ago XML External Entity vulnerability in MODX CMS
CVE-2020-36381 unknown 5y ago Vulnerability in singleCrunch function leads to arbitrary code execution via filePath parameters
CVE-2020-36380 unknown 5y ago Vulnerability in crunch function leads to arbitrary code execution via filePath parameters
CVE-2020-22864 unknown 5y ago Cross site scripting in froala-editor
CVE-2020-23049 unknown 5y ago Cross-site scripting in forkcms
CVE-2020-25703 unknown 5y ago Exposure of Sensitive Information to an Unauthorized Actor in Moodle
CVE-2020-19003 unknown 5y ago An issue in Gate One 1.2.0 allows attackers to bypass to the verification check done by the origins list and connect to Gate One instances used by hosts not on the origins list.
CVE-2020-29204 unknown 5y ago Cross-site Scripting in XXL-JOB
CVE-2020-28270 unknown 5y ago Prototype pollution in object-hierarchy-access
CVE-2020-8818 unknown 5y ago Origin Validation Error in Magento 2
CVE-2020-12607 unknown 5y ago An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1…
CVE-2020-13909 unknown 5y ago Critical severity vulnerability in Ignition
CVE-2020-28274 unknown 5y ago Prototype pollution vulnerability in 'deepref'
CVE-2020-28280 unknown 5y ago Prototype pollution vulnerability in 'predefine'
CVE-2020-28283 unknown 5y ago Prototype pollution vulnerability in 'libnested'
CVE-2020-28282 unknown 5y ago Prototype pollution vulnerability in 'getobject' version 0.1.0 allows an attacker to cause a denial of service and may lead to remote code execution.
CVE-2020-23849 unknown 5y ago Cross-site Scripting in jsoneditor
CVE-2020-5273 unknown 5y ago Stored XSS with custom URLs in PrestaShop module ps_linklist
CVE-2020-8897 unknown 5y ago Security issues in AWS KMS and AWS Encryption SDKs: in-band protocol negotiation and robustness
CVE-2020-20129 unknown 5y ago Cross-site Scripting in LaraCMS
CVE-2020-20693 unknown 5y ago Cross-Site Request Forgery in GilaCMS
CVE-2020-20696 unknown 5y ago Cross-site Scripting in GilaCMS
CVE-2020-20695 unknown 5y ago Cross-site Scripting in GilaCMS
CVE-2020-20120 unknown 5y ago SQL Injection in topthink/thinkphp
CVE-2020-7692 unknown 5y ago Improper Authorization in Google OAuth Client
CVE-2020-23478 unknown 5y ago Leo Editor v6.2.1 was discovered to contain a regular expression denial of service (ReDoS) vulnerability in the component plugins/importers/dart.py.
CVE-2020-26301 unknown 5y ago OS Command Injection in ssh2
CVE-2020-21322 unknown 5y ago Arbitrary Code Execution in feehi/cms
CVE-2020-21122 unknown 5y ago Server-Side Request Forgery in UReport
CVE-2020-21125 unknown 5y ago Remote code execution in UReport