CVEs from 2020
Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-1744 | unknown | — | — | 5y ago | Exposure of Sensitive Information in keycloak | |||
| CVE-2020-18155 | unknown | — | — | 5y ago | SQL Injection in Subrion CMS | |||
| CVE-2020-15877 | unknown | — | — | 5y ago | Exposure of Resource to Wrong Sphere in LibreNMS | |||
| CVE-2020-23700 | unknown | — | — | 5y ago | Cross-site scripting in LavaLite-CMS | |||
| CVE-2020-13929 | unknown | — | — | 5y ago | Authentication bypass in Apache Zeppelin | |||
| CVE-2020-9321 | unknown | — | — | 5y ago | Improper Certificate Handling in github.com/containous/traefik | |||
| CVE-2020-22345 | unknown | — | — | 5y ago | OS Command Injection in Centreon | |||
| CVE-2020-19001 | unknown | — | — | 5y ago | Command Injection in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary system commands via line 64 of the component 'simiki/blob/master/simiki/config.py'. | |||
| CVE-2020-19000 | unknown | — | — | 5y ago | Cross Site Scripting (XSS) in Simiki v1.6.2.1 and prior allows remote attackers to execute arbitrary code via line 54 of the component 'simiki/blob/master/simiki/generators.py'. | |||
| CVE-2020-22392 | unknown | — | — | 5y ago | Cross Site Scripting in Subrion CMS | |||
| CVE-2020-6950 | unknown | — | — | 5y ago | Directory traversal in Eclipse Mojarra | |||
| CVE-2020-22403 | unknown | — | — | 5y ago | Cross-Site Request Forgery in express-cart | |||
| CVE-2020-18705 | unknown | — | — | 5y ago | XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/core/content/views.py'. | |||
| CVE-2020-18704 | unknown | — | — | 5y ago | Unrestricted Upload of File with Dangerous Type in Django-Widgy v0.8.4 allows remote attackers to execute arbitrary code via the 'image' widget in the component 'Change Widgy Page'. | |||
| CVE-2020-18703 | unknown | — | — | 5y ago | XML External Entities (XXE) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the component 'quokka/utils/atom.py'. | |||
| CVE-2020-18702 | unknown | — | — | 5y ago | Cross Site Scripting (XSS) in Quokka v0.4.0 allows remote attackers to execute arbitrary code via the 'Username' parameter in the component 'quokka/admin/actions.py'. | |||
| CVE-2020-19709 | unknown | — | — | 5y ago | Cross-site scripting in feehicms | |||
| CVE-2020-36474 | unknown | — | — | 5y ago | SafeCurl before 0.9.2 has a DNS rebinding vulnerability. | |||
| CVE-2020-18899 | unknown | — | — | 5y ago | An uncontrolled memory allocation in DataBufdata(subBox.length-sizeof(box)) function of Exiv2 0.27 allows attackers to cause a denial of service (DOS) via a crafted input. | |||
| CVE-2020-18701 | unknown | — | — | 5y ago | Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token u… | |||
| CVE-2020-15522 | unknown | — | — | 5y ago | Timing based private key exposure in Bouncy Castle | |||
| CVE-2020-17952 | unknown | — | — | 5y ago | Code injection in topthink/think | |||
| CVE-2020-23234 | unknown | — | — | 5y ago | Cross Site Scripting in LavaLite CMS | |||
| CVE-2020-9472 | unknown | — | — | 5y ago | Unrestricted Upload of File with Dangerous Type in Umbraco CMS | |||
| CVE-2020-8867 | unknown | — | — | 5y ago | Insufficient Session Expiration and TOCTOU Race Condition in OPC FOundation UA .Net Standard | |||
| CVE-2020-1180 | unknown | — | — | 5y ago | Remote code execution in ChakraCore | |||
| CVE-2020-1172 | unknown | — | — | 5y ago | Remote code execution in ChakraCore | |||
| CVE-2020-1057 | unknown | — | — | 5y ago | Remote code execution in ChakraCore | |||
| CVE-2020-27998 | unknown | — | — | 5y ago | Missing Authorization in FastReport | |||
| CVE-2020-0768 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-17048 | unknown | — | — | 5y ago | Out-of-bounds Write in ChakraCore | |||
| CVE-2020-17054 | unknown | — | — | 5y ago | Out-of-bounds Write in ChakraCore | |||
| CVE-2020-16250 | unknown | — | — | 5y ago | Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault | |||
| CVE-2020-27178 | unknown | — | — | 5y ago | Improper Authentication in Apereo CAS | |||
| CVE-2020-19676 | unknown | — | — | 5y ago | Incorrect Access Control in Nacos | |||
| CVE-2020-0828 | unknown | — | — | 5y ago | Out-of-bounds Write in ChakraCore | |||
| CVE-2020-0831 | unknown | — | — | 5y ago | Out-of-bounds Write in ChakraCore | |||
| CVE-2020-0826 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0833 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0830 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0829 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0832 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0848 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0823 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0825 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-0827 | unknown | — | — | 5y ago | Out-of-bounds write in ChakraCore | |||
| CVE-2020-7955 | unknown | — | — | 5y ago | Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul | |||
| CVE-2020-7220 | unknown | — | — | 5y ago | Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault | |||
| CVE-2020-7964 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Saleor | |||
| CVE-2020-25025 | unknown | — | — | 5y ago | Incorrect Authorization in TYPO3 extension | |||
| CVE-2020-12700 | unknown | — | — | 5y ago | Missing Authorization in TYPO3 extension | |||
| CVE-2020-12698 | unknown | — | — | 5y ago | Missing Authorization in TYPO3 extension | |||
| CVE-2020-11671 | unknown | — | — | 5y ago | Missing Authorization in TeamPass | |||
| CVE-2020-13619 | unknown | — | — | 5y ago | OS Command Injection in Locutus | |||
| CVE-2020-12477 | unknown | — | — | 5y ago | Incorrect Authorization in TeamPass | |||
| CVE-2020-8827 | unknown | — | — | 5y ago | Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd | |||
| CVE-2020-8828 | unknown | — | — | 5y ago | Argo CD Insecure default administrative password | |||
| CVE-2020-1920 | unknown | — | — | 5y ago | Regular expression denial of service in react-native | |||
| CVE-2020-36049 | unknown | — | — | 5y ago | socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used. | |||
| CVE-2020-12118 | unknown | — | — | 5y ago | Incorrect Default Permissions in Binance tss-lib in github.com/binance-chain/tss-lib | |||
| CVE-2020-15111 | unknown | — | — | 5y ago | CRLF vulnerability in Fiber in github.com/gofiber/fiber | |||
| CVE-2020-26242 | unknown | — | — | 5y ago | Denial of service in github.com/holiman/uint256 | |||
| CVE-2020-26241 | unknown | — | — | 5y ago | Shallow copy bug in geth in github.com/ethereum/go-ethereum | |||
| CVE-2020-26240 | unknown | — | — | 5y ago | Erroneous Proof of Work calculation in geth in github.com/ethereum/go-ethereum | |||
| CVE-2020-12642 | unknown | — | — | 5y ago | XXE vulnerability in Launch import | |||
| CVE-2020-4053 | unknown | — | — | 5y ago | Plugin archive directory traversal in Helm | |||
| CVE-2020-7919 | unknown | — | — | 5y ago | Panic in certificate parsing in crypto/x509 and golang.org/x/crypto/cryptobyte | |||
| CVE-2020-28483 | unknown | — | — | 5y ago | This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header. | |||
| CVE-2020-35380 | unknown | — | — | 5y ago | GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON. | |||
| CVE-2020-12797 | unknown | — | — | 5y ago | Incorrect Permission Assignment for Critical Resource in Hashicorp Consul in github.com/hashicorp/consul | |||
| CVE-2020-26279 | unknown | — | — | 5y ago | Path traversal in github.com/ipfs/go-ipfs | |||
| CVE-2020-26283 | unknown | — | — | 5y ago | Control character injection in console output in github.com/ipfs/go-ipfs | |||
| CVE-2020-7731 | unknown | — | — | 5y ago | Panic due to malformed XML digital signature in github.com/russellhaering/goxmldsig | |||
| CVE-2020-7711 | unknown | — | — | 5y ago | This affects all versions of package github.com/russellhaering/goxmldsig. There is a crash on nil-pointer dereference caused by sending malformed XML signatures. | |||
| CVE-2020-7667 | unknown | — | — | 5y ago | Arbitrary File Write via Archive Extraction (Zip Slip) in github.com/sassoftware/go-rpmutils | |||
| CVE-2020-23264 | unknown | — | — | 5y ago | Cross-Site Request Forgery in forkcms | |||
| CVE-2020-13252 | unknown | — | — | 5y ago | Command Injection in Centreon | |||
| CVE-2020-12467 | unknown | — | — | 5y ago | Session Fixation in Subrion CMS | |||
| CVE-2020-17522 | unknown | — | — | 5y ago | Cache Manipulation Attack in Apache Traffic Control | |||
| CVE-2020-13258 | unknown | — | — | 5y ago | Cross-site scripting in Contentful | |||
| CVE-2020-7655 | unknown | — | — | 5y ago | netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP pipelining issues and request smuggling attacks might be possible due to incorrect Transfer encoding header parsing which could a… | |||
| CVE-2020-14942 | unknown | — | — | 5y ago | Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py. | |||
| CVE-2020-13944 | unknown | — | — | 5y ago | In Apache Airflow < 1.10.12, the "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. | |||
| CVE-2020-11977 | unknown | — | — | 5y ago | Shell command injection in Apache Syncope | |||
| CVE-2020-1959 | unknown | — | — | 5y ago | Expression Language Injection in Apache Syncope | |||
| CVE-2020-1961 | unknown | — | — | 5y ago | Injection in Apache Syncope | |||
| CVE-2020-10729 | unknown | — | — | 5y ago | A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since … | |||
| CVE-2020-10688 | unknown | — | — | 5y ago | Cross-site scripting in RESTEasy | |||
| CVE-2020-26136 | unknown | — | — | 5y ago | Authentication bypass in SilverStripe GraphQL | |||
| CVE-2020-12690 | unknown | — | — | 5y ago | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a key… | |||
| CVE-2020-25724 | unknown | — | — | 5y ago | Unsynchronized Access to Shared Data in a Multithreaded Context in RESTEasy | |||
| CVE-2020-14340 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in XNIO | |||
| CVE-2020-1719 | unknown | — | — | 5y ago | Privilege Context Switching Error in wildlfy | |||
| CVE-2020-17495 | unknown | — | — | 5y ago | django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information th… | |||
| CVE-2020-10693 | unknown | — | — | 5y ago | Improper Input Validation in Hibernate Validator | |||
| CVE-2020-25633 | unknown | — | — | 5y ago | Generation of Error Message Containing Sensitive Information in RESTEasy client | |||
| CVE-2020-13388 | unknown | — | — | 5y ago | An exploitable vulnerability exists in the configuration-loading functionality of the jw.util package before 2.3 for Python. When loading a configuration with FromString or FromStream with YAML, one … | |||
| CVE-2020-1701 | unknown | — | — | 5y ago | Permissions bypass in KubeVirt in kubevirt.io/kubevirt | |||
| CVE-2020-11091 | unknown | — | — | 5y ago | Weave Net clusters susceptible to MitM attacks via IPv6 rogue router advertisements in github.com/weaveworks/weave | |||
| CVE-2020-11013 | unknown | — | — | 5y ago | Lookup function information discolosure in helm |