CVEs from 2020
Total
3,795
critical
critical 206
high
high 563
medium
medium 745
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-7600 | unknown | — | — | 5y ago | Improperly Controlled Modification of Dynamically-Determined Object Attributes in querymen | |||
| CVE-2020-10544 | unknown | — | — | 5y ago | Cross-site Scripting in PrimeFaces | |||
| CVE-2020-7602 | unknown | — | — | 5y ago | OS Command Injection in node-prompt-here | |||
| CVE-2020-7603 | unknown | — | — | 5y ago | OS Command Injection in closure-compiler-stream | |||
| CVE-2020-7601 | unknown | — | — | 5y ago | OS Command Injection in gulp-scss-lint | |||
| CVE-2020-7605 | unknown | — | — | 5y ago | OS Command Injection in gulp-tape | |||
| CVE-2020-7607 | unknown | — | — | 5y ago | OS Command Injection in gulkp-styledocco | |||
| CVE-2020-7606 | unknown | — | — | 5y ago | OS Command Injection in docker-compose-remote-api | |||
| CVE-2020-7682 | unknown | — | — | 5y ago | Path Traversal in marked-tree | |||
| CVE-2020-8910 | unknown | — | — | 5y ago | Improper Input Validation in Google Closure Library | |||
| CVE-2020-7681 | unknown | — | — | 5y ago | Path Traversal in marscode | |||
| CVE-2020-8215 | unknown | — | — | 5y ago | Buffer overflow in canvas | |||
| CVE-2020-7610 | unknown | — | — | 5y ago | All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialize… | |||
| CVE-2020-8214 | unknown | — | — | 5y ago | Path traversal in servey | |||
| CVE-2020-24554 | unknown | — | — | 5y ago | Open Redirect in Liferay Portal | |||
| CVE-2020-13946 | unknown | — | — | 5y ago | Man-in-the-middle attack in Apache Cassandra | |||
| CVE-2020-25020 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in MPXJ | |||
| CVE-2020-9298 | unknown | — | — | 5y ago | Server-Side Request Forgery in Spinnaker Orca | |||
| CVE-2020-13933 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-11976 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Wicket | |||
| CVE-2020-1951 | unknown | — | — | 5y ago | Infinite Loop in Apache Tika | |||
| CVE-2020-1950 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in Apache Tika | |||
| CVE-2020-9489 | unknown | — | — | 5y ago | Missing Release of Memory after Effective Lifetime in Apache Tika | |||
| CVE-2020-1957 | unknown | — | — | 5y ago | Improper Authentication in Apache Shiro | |||
| CVE-2020-11989 | unknown | — | — | 5y ago | Improper Authentication in Apache Shiro | |||
| CVE-2020-9281 | unknown | — | — | 5y ago | CKEditor 4.0 vulnerability in the HTML Data Processor | |||
| CVE-2020-13278 | unknown | — | — | 5y ago | Reflected cross-site scripting in francoisjacquet/rosariosis | |||
| CVE-2020-5776 | unknown | — | — | 5y ago | Cross-Site Request Forgery in MAGMI | |||
| CVE-2020-5777 | unknown | — | — | 5y ago | Authentication bypass in MAGMI | |||
| CVE-2020-24941 | unknown | — | — | 5y ago | Improper Input Validation in Laravel | |||
| CVE-2020-7759 | unknown | — | — | 5y ago | SQL Injection in pimcore | |||
| CVE-2020-29315 | unknown | — | — | 5y ago | Cross-site scripting in ThinkAdmin | |||
| CVE-2020-7776 | unknown | — | — | 5y ago | Cross-site scripting in phpoffice/phpspreadsheet | |||
| CVE-2020-28925 | unknown | — | — | 5y ago | OS Command injection in Bolt | |||
| CVE-2020-23960 | unknown | — | — | 5y ago | Cross-Site Request Forgery in ForkCMS | |||
| CVE-2020-35700 | unknown | — | — | 5y ago | SQL Injection in librenms | |||
| CVE-2020-7698 | unknown | — | — | 5y ago | This affects the package Gerapy from 0 and before 0.9.3. The input being passed to Popen, via the project_configure endpoint, isn’t being sanitized. | |||
| CVE-2020-10799 | unknown | — | — | 5y ago | The svglib package through 0.9.3 for Python allows XXE attacks via an svg2rlg call. | |||
| CVE-2020-25032 | unknown | — | — | 5y ago | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathna… | |||
| CVE-2020-8134 | unknown | — | — | 5y ago | Server-side request forgery in Ghost CMS | |||
| CVE-2020-8137 | unknown | — | — | 5y ago | Code injection in blamer | |||
| CVE-2020-7730 | unknown | — | — | 5y ago | Command injection in bestzip | |||
| CVE-2020-7729 | unknown | — | — | 5y ago | Arbitrary Code Execution in grunt | |||
| CVE-2020-7726 | unknown | — | — | 5y ago | Prototype Pollution in safe-object2 | |||
| CVE-2020-7725 | unknown | — | — | 5y ago | Prototype Pollution in worksmith | |||
| CVE-2020-7722 | unknown | — | — | 5y ago | Prototype Pollution in nodee-utils | |||
| CVE-2020-7718 | unknown | — | — | 5y ago | Prototype Pollution in gammautils | |||
| CVE-2020-7723 | unknown | — | — | 5y ago | Prototype Pollution in promisehelpers | |||
| CVE-2020-7697 | unknown | — | — | 5y ago | Code injection in mock2easy | |||
| CVE-2020-7715 | unknown | — | — | 5y ago | Prototype Pollution in deep-get-set | |||
| CVE-2020-7727 | unknown | — | — | 5y ago | Prototype Pollution in gedi | |||
| CVE-2020-7721 | unknown | — | — | 5y ago | Prototype Pollution in node-oojs | |||
| CVE-2020-7719 | unknown | — | — | 5y ago | Prototype Pollution in locutus | |||
| CVE-2020-7714 | unknown | — | — | 5y ago | Prototype Pollution in confucious | |||
| CVE-2020-7717 | unknown | — | — | 5y ago | Prototype Pollution in dot-notes | |||
| CVE-2020-7716 | unknown | — | — | 5y ago | Prototype Pollution in deeps | |||
| CVE-2020-7713 | unknown | — | — | 5y ago | Prototype Pollution in arr-flatten-unflatten | |||
| CVE-2020-7712 | unknown | — | — | 5y ago | trentm/json vulnerable to command injection | |||
| CVE-2020-13410 | unknown | — | — | 5y ago | Improper exception handling in Aedes | |||
| CVE-2020-7707 | unknown | — | — | 5y ago | Prototype Pollution in property-expr | |||
| CVE-2020-7706 | unknown | — | — | 5y ago | Prototype Pollution in connie-lang | |||
| CVE-2020-7708 | unknown | — | — | 5y ago | Prototype Pollution in irrelon-path and @irrelon/path | |||
| CVE-2020-7702 | unknown | — | — | 5y ago | Prototype Pollution in templ8 | |||
| CVE-2020-7703 | unknown | — | — | 5y ago | Prototype Pollution in nis-utils | |||
| CVE-2020-7701 | unknown | — | — | 5y ago | Prototype Pollution in madlib-object-utils | |||
| CVE-2020-7700 | unknown | — | — | 5y ago | Prototype Pollution in phpjs | |||
| CVE-2020-8136 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in fastify-multipart | |||
| CVE-2020-17479 | unknown | — | — | 5y ago | Validation bypass in jpv | |||
| CVE-2020-28499 | unknown | — | — | 5y ago | Prototype Pollution in merge | |||
| CVE-2020-28502 | unknown | — | — | 5y ago | This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into… | |||
| CVE-2020-36326 | unknown | — | — | 5y ago | PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a func… | |||
| CVE-2020-25658 | unknown | — | — | 5y ago | It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. | |||
| CVE-2020-27197 | unknown | — | — | 5y ago | ** DISPUTED ** TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_net… | |||
| CVE-2020-13952 | unknown | — | — | 5y ago | In the course of work on the open source project it was discovered that authenticated users running queries against Hive and Presto database engines could access information via a number of templated… | |||
| CVE-2020-7212 | unknown | — | — | 5y ago | The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent… | |||
| CVE-2020-5421 | unknown | — | — | 5y ago | Improper Input Validation in Spring Framework | |||
| CVE-2020-5412 | unknown | — | — | 5y ago | Externally Controlled Reference to a Resource in Another Sphere and Confused Deputy in Spring Cloud Netflix | |||
| CVE-2020-10687 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-10705 | unknown | — | — | 5y ago | Allocation of Resources Without Limits or Throttling in Undertow | |||
| CVE-2020-10719 | unknown | — | — | 5y ago | HTTP Request Smuggling in Undertow | |||
| CVE-2020-26939 | unknown | — | — | 5y ago | Observable Differences in Behavior to Error Inputs in Bouncy Castle | |||
| CVE-2020-35217 | unknown | — | — | 5y ago | Cross-Site Request Forgery in Vert.x-Web framework | |||
| CVE-2020-9447 | unknown | — | — | 5y ago | Cross-site Scripting in GwtUpload | |||
| CVE-2020-13954 | unknown | — | — | 5y ago | Cross-site scripting in Apache CXF | |||
| CVE-2020-7744 | unknown | — | — | 5y ago | Remote Code Execution and download tracking in Mintegral SDK | |||
| CVE-2020-26945 | unknown | — | — | 5y ago | "Deserialization errors in MyBatis" | |||
| CVE-2020-13955 | unknown | — | — | 5y ago | Missing Authentication for Critical Function in Apache Calcite | |||
| CVE-2020-17510 | unknown | — | — | 5y ago | Authentication bypass in Apache Shiro | |||
| CVE-2020-1733 | unknown | — | — | 5y ago | A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with … | |||
| CVE-2020-10691 | unknown | — | — | 5y ago | An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is cr… | |||
| CVE-2020-14365 | unknown | — | — | 5y ago | A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during … | |||
| CVE-2020-1746 | unknown | — | — | 5y ago | A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.… | |||
| CVE-2020-1737 | unknown | — | — | 5y ago | A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belon… | |||
| CVE-2020-17526 | unknown | — | — | 5y ago | Incorrect Session Validation in Apache Airflow Webserver versions prior to 1.10.14 with default config allows a malicious airflow user on site A where they log in normally, to access unauthorized Air… | |||
| CVE-2020-17515 | unknown | — | — | 5y ago | The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but t… | |||
| CVE-2020-29456 | unknown | — | — | 5y ago | Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. Th… | |||
| CVE-2020-29128 | unknown | — | — | 5y ago | petl before 1.68, in some configurations, allows resolution of entities in an XML document. | |||
| CVE-2020-17446 | unknown | — | — | 5y ago | asyncpg before 0.21.0 allows a malicious PostgreSQL server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, because of access to an uninitialized poi… | |||
| CVE-2020-28724 | unknown | — | — | 5y ago | Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL. | |||
| CVE-2020-27589 | unknown | — | — | 5y ago | Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases. |