VIR Vulnerability Intelligence Relay

CVEs from 2020

3,795 normalized CVEs published or assigned in this year.

Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%

Top vendors

Top products

  • retail_xstore_point_of_service 33
  • banking_digital_experience 30
  • primavera_unifier 29
  • retail_service_backbone 15
  • financial_services_institutional_performance_analytics 13
  • insurance_policy_administration_j2ee 11
  • communications_network_charging_and_control 10
  • enterprise_manager_base_platform 10

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2020-5303 unknown 5y ago Denial of service in Tendermint
CVE-2020-5300 unknown 5y ago Authentication Bypass in hydra in github.com/ory/hydra
CVE-2020-7639 unknown 5y ago eivindfjeldstad-dot contains prototype pollution vulnerability
CVE-2020-7633 unknown 5y ago apiconnect-cli-plugins vulnerable to OS Command Injection
CVE-2020-26213 unknown 5y ago Denial-of-Service within Docker container in ktbs.dev/teler
CVE-2020-15233 unknown 5y ago OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses
CVE-2020-15234 unknown 5y ago Redirect URL matching ignores character casing
CVE-2020-15229 unknown 5y ago Path traversal and files overwrite with unsquashfs in singularity
CVE-2020-12699 unknown 5y ago Open redirect in direct_mail
CVE-2020-12697 unknown 5y ago Denial of service in direct_mail
CVE-2020-13794 unknown 5y ago Authenticated users can exploit an enumeration vulnerability in Harbor in github.com/goharbor/harbor
CVE-2020-15222 unknown 5y ago Token reuse in github.com/ory/fosite
CVE-2020-15223 unknown 5y ago Improper handling of token revocation in github.com/ory/fosite
CVE-2020-15216 unknown 5y ago In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered fi…
CVE-2020-15187 unknown 5y ago plugin.yaml file allows for duplicate entries in helm
CVE-2020-15186 unknown 5y ago Improper Sanitizing of plugin names in helm
CVE-2020-15185 unknown 5y ago Repository index file allows for duplicates of the same chart entry in helm
CVE-2020-15184 unknown 5y ago Aliases are never checked in helm
CVE-2020-24356 unknown 5y ago Local Privilege Escalation in cloudflared in github.com/cloudflare/cloudflared
CVE-2020-25040 unknown 5y ago Insecure permissions on build temporary rootfs in Singularity
CVE-2020-13482 unknown 5y ago Improper Certificate Validation in EM-HTTP-Request
CVE-2020-13163 unknown 5y ago Improper certificate validation in em-imap
CVE-2020-7659 unknown 5y ago HTTP Request Smuggling in reel
CVE-2020-7671 unknown 5y ago HTTP Request Smuggling in goliath
CVE-2020-11972 unknown 5y ago Deserialization of Untrusted Data in Apache Camel RabbitMQ
CVE-2020-1960 unknown 5y ago Command injection in Apache Flink
CVE-2020-11971 unknown 5y ago Improper Input Validation in Apache Camel
CVE-2020-26892 unknown 5y ago The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
CVE-2020-1762 unknown 5y ago Insufficient Session Expiration in Kiali in github.com/kiali/kiali
CVE-2020-12666 unknown 5y ago Open redirect in gopkg.in/macaron.v1
CVE-2020-7665 unknown 5y ago Path traversal in u-root in github.com/u-root/u-root
CVE-2020-26160 unknown 5y ago jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fai…
CVE-2020-27813 unknown 5y ago An integer overflow vulnerability exists with the length of websocket frames received via a websocket connection. An attacker would use this flaw to cause a denial of service attack on an HTTP Server…
CVE-2020-36066 unknown 5y ago GJSON <1.6.5 allows attackers to cause a denial of service (remote) via crafted JSON.
CVE-2020-14958 unknown 5y ago Insecure Permissions in Gogs in gogs.io/gogs
CVE-2020-7668 unknown 5y ago Path Traversal in github.com/unknwon/cae
CVE-2020-7664 unknown 5y ago Path traversal in github.com/unknwon/cae
CVE-2020-10750 unknown 5y ago Information Exposure in jaeger in github.com/jaegertracing/jaeger
CVE-2020-1764 unknown 5y ago Hard coded cryptographic key in Kiali in github.com/kiali/kiali
CVE-2020-7669 unknown 5y ago github.com/u-root/u-root/pkg/tarutil Arbitrary File Write via Archive Extraction (Zip Slip) in github.com/u-root/u-root
CVE-2020-10675 unknown 5y ago The Library API in buger jsonparser through 2019-12-04 allows attackers to cause a denial of service (infinite loop) via a Delete call.
CVE-2020-13250 unknown 5y ago Allocation of Resources Without Limits or Throttling in Hashicorp Consul in github.com/hashicorp/consul
CVE-2020-13170 unknown 5y ago Improper Input Validation in HashiCorp Consul in github.com/hashicorp/consul
CVE-2020-13223 unknown 5y ago Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault
CVE-2020-12757 unknown 5y ago Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp
CVE-2020-7956 unknown 5y ago Improper Certificate Validation in HashiCorp Nomad in github.com/hashicorp/nomad
CVE-2020-7218 unknown 5y ago Allocation of Resources Without Limits or Throttling in HashiCorp Nomad in github.com/hashicorp/nomad
CVE-2020-7219 unknown 5y ago Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul
CVE-2020-8945 unknown 5y ago The proglottis Go wrapper before 0.1.1 for the GPGME library has a use-after-free, as demonstrated by use for container image pulls by Docker or CRI-O. This leads to a crash or potential code executi…
CVE-2020-7765 unknown 5y ago Uncontrolled Resource Consumption in firebase
CVE-2020-28268 unknown 5y ago Prototype pollution in controlled-merge
CVE-2020-7696 unknown 5y ago Credential leak in react-native-fast-image
CVE-2020-7684 unknown 5y ago Path traversal in rollup-plugin-serve
CVE-2020-8186 unknown 5y ago Injection and Command Injection in devcert
CVE-2020-7690 unknown 5y ago Cross-site scripting in jspdf
CVE-2020-8176 unknown 5y ago Cross-site scripting in @shopify/koa-shopify-auth
CVE-2020-7688 unknown 5y ago OS Command Injection in mversion
CVE-2020-15362 unknown 5y ago OS Command Injection in wifiscanner
CVE-2020-7679 unknown 5y ago Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs
CVE-2020-7673 unknown 5y ago node-extend through 0.2.0 is vulnerable to Arbitrary Code Execution. User input provided to the argument `A` of `extend` function`(A,B,as,isAargs)` located within `lib/extend.js` is executed by the `…
CVE-2020-7674 unknown 5y ago Improper Input Validation in access-policy
CVE-2020-7675 unknown 5y ago Code Injection in cd-messenger
CVE-2020-7672 unknown 5y ago Code Injection in mosc
CVE-2020-7691 unknown 5y ago Cross-site scripting in jspdf
CVE-2020-7772 unknown 5y ago Prototype Pollution in doc-path
CVE-2020-8268 unknown 5y ago Prototype pollution in json8-merge-patch
CVE-2020-7770 unknown 5y ago Prototype pollution in json8
CVE-2020-7769 unknown 5y ago This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVE-2020-7767 unknown 5y ago Regular expression deinal of service in express-validators
CVE-2020-7768 unknown 5y ago Prototype pollution in grpc and @grpc/grpc-js
CVE-2020-7766 unknown 5y ago Arbitrary Code Execution in json-ptr
CVE-2020-7761 unknown 5y ago Regular expression denial of service in @absolunet/kafe
CVE-2020-7748 unknown 5y ago Prototype pollution in @tsed/core
CVE-2020-7746 unknown 5y ago This affects the package chart.js before 2.9.4. The options parameter is not properly sanitized when it is processed. When the options are processed, the existing options (or the defaults options) ar…
CVE-2020-7757 unknown 5y ago Path Traversal in droppy
CVE-2020-8127 unknown 5y ago Cross-site Scripting in reveal.js
CVE-2020-8132 unknown 5y ago Improper Input Validation and Code Injection in pdf-image
CVE-2020-7758 unknown 5y ago Path Traversal in browserless-chrome
CVE-2020-7760 unknown 5y ago Regular expression denial of service in codemirror
CVE-2020-7755 unknown 5y ago Regular Expression Denial of Service in dat.gui
CVE-2020-7753 unknown 5y ago Regular Expression Denial of Service in trim
CVE-2020-27664 unknown 5y ago Authorization bypass in Strapi
CVE-2020-7749 unknown 5y ago Injection and Cross-site Scripting in osm-static-maps
CVE-2020-7747 unknown 5y ago Cross-site Scripting in lightning-server
CVE-2020-7743 unknown 5y ago Prototype Pollution in mathjs
CVE-2020-7742 unknown 5y ago Prototype Pollution in simpl-schema
CVE-2020-7740 unknown 5y ago Server-Side Request Forgery in node-pdf-generator
CVE-2020-7739 unknown 5y ago Server-Side Request Forgery in phantomjs-seo
CVE-2020-7709 unknown 5y ago Prototype pollution in json-pointer
CVE-2020-7738 unknown 5y ago Arbitrary Code Execution in shiba
CVE-2020-7736 unknown 5y ago Prototype Pollution in bmoor
CVE-2020-7620 unknown 5y ago OS Command Injection in pomelo-monitor
CVE-2020-28429 unknown 5y ago Command Injection in geojson2kml
CVE-2020-7724 unknown 5y ago Prototype Pollution in tiny-conf
CVE-2020-7619 unknown 5y ago Command injection in get-git-data
CVE-2020-7735 unknown 5y ago OS Command Injection in ng-packagr
CVE-2020-8237 unknown 5y ago Uncontrolled Resource Consumption in json-bigint
CVE-2020-8158 unknown 5y ago TypeORM vulnerable to MAID and Prototype Pollution
CVE-2020-7604 unknown 5y ago OS Command Injection in pulverizr
CVE-2020-7733 unknown 5y ago The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.