CVEs from 2020
Total
3,794
critical
critical 206
high
high 563
medium
medium 744
low
low 60
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36319 | unknown | — | — | 5y ago | Potential sensitive data exposure in applications using Vaadin 15 | |||
| CVE-2020-36321 | unknown | — | — | 5y ago | Directory traversal in development mode handler in Vaadin 14 and 15-17 | |||
| CVE-2020-36320 | unknown | — | — | 5y ago | Regular expression denial of service (ReDoS) in EmailValidator class in Vaadin 7 | |||
| CVE-2020-17131 | unknown | — | — | 5y ago | Out-of-bounds Write in Chakra | |||
| CVE-2020-29454 | unknown | — | — | 5y ago | Incorrect permission enforcement in UmbracoCms | |||
| CVE-2020-8125 | unknown | — | — | 5y ago | Improper Input Validation in klona | |||
| CVE-2020-24391 | unknown | — | — | 5y ago | Remote code execution in mongo-express | |||
| CVE-2020-7782 | unknown | — | — | 5y ago | Command injection in spritesheet-js | |||
| CVE-2020-28479 | unknown | — | — | 5y ago | Denial of Service (DoS) via the unsetByPath function in jsjoints | |||
| CVE-2020-28470 | unknown | — | — | 5y ago | Cross-site Scripting (XSS) in @scullyio/scully | |||
| CVE-2020-7693 | unknown | — | — | 5y ago | Incorrect handling of Upgrade header with the value websocket leads in crashing of containers hosting sockjs apps. This affects the package sockjs before 0.3.20. | |||
| CVE-2020-8823 | unknown | — | — | 5y ago | Cross-site scripting in SocksJS-node | |||
| CVE-2020-8128 | unknown | — | — | 5y ago | Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport | |||
| CVE-2020-7762 | unknown | — | — | 5y ago | Path Traversal in jsreport-chrome-pdf | |||
| CVE-2020-7771 | unknown | — | — | 5y ago | Prototype Pollution in asciitable.js | |||
| CVE-2020-28464 | unknown | — | — | 5y ago | Arbitrary code execution in djv | |||
| CVE-2020-8129 | unknown | — | — | 5y ago | Code Injection in script-manager | |||
| CVE-2020-28281 | unknown | — | — | 5y ago | Prototype pollution in set-object-value | |||
| CVE-2020-28448 | unknown | — | — | 5y ago | Prototype Pollution in multi-ini | |||
| CVE-2020-28460 | unknown | — | — | 5y ago | Prototype pollution in multi-ini | |||
| CVE-2020-28439 | unknown | — | — | 5y ago | Command injection in corenlp-js-prefab | |||
| CVE-2020-7787 | unknown | — | — | 5y ago | Improper Authentication in react-adal | |||
| CVE-2020-28450 | unknown | — | — | 5y ago | Prototype Pollution in decal | |||
| CVE-2020-28449 | unknown | — | — | 5y ago | Prototype Pollution in decal | |||
| CVE-2020-28487 | unknown | — | — | 5y ago | Cross-site Scripting in vis-timeline | |||
| CVE-2020-28501 | unknown | — | — | 5y ago | Regular Expression Denial of Service (ReDoS) in es6-crawler-detect | |||
| CVE-2020-28360 | unknown | — | — | 5y ago | Server-Side Request Forgery in private-ip | |||
| CVE-2020-27224 | unknown | — | — | 5y ago | Cross-site Scripting (XSS) in Eclipse Theia | |||
| CVE-2020-7775 | unknown | — | — | 5y ago | Improper neutralization of arguments in freediskspace | |||
| CVE-2020-24393 | unknown | — | — | 5y ago | Improper Certificate Validation in TweetStream | |||
| CVE-2020-7942 | unknown | — | — | 5y ago | Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infras… | |||
| CVE-2020-28490 | unknown | — | — | 5y ago | Command Injection in async-git | |||
| CVE-2020-7786 | unknown | — | — | 5y ago | Command Injection in macfromip | |||
| CVE-2020-27543 | unknown | — | — | 5y ago | Denial of Service (DoS) in restify-paginate | |||
| CVE-2020-1740 | unknown | — | — | 5y ago | A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, … | |||
| CVE-2020-28736 | unknown | — | — | 5y ago | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | |||
| CVE-2020-28735 | unknown | — | — | 5y ago | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | |||
| CVE-2020-28734 | unknown | — | — | 5y ago | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | |||
| CVE-2020-7965 | unknown | — | — | 5y ago | flaskparser.py in Webargs 5.x through 5.5.2 doesn't check that the Content-Type header is application/json when receiving JSON input. If the request body is valid JSON, it will accept it even if the … | |||
| CVE-2020-26759 | unknown | — | — | 5y ago | clickhouse-driver before 0.1.5 allows a malicious clickhouse server to trigger a crash or execute arbitrary code (on a database client) via a crafted server response, due to a buffer overflow. | |||
| CVE-2020-10684 | unknown | — | — | 5y ago | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable wh… | |||
| CVE-2020-10685 | unknown | — | — | 5y ago | A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 an… | |||
| CVE-2020-1735 | unknown | — | — | 5y ago | A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All ver… | |||
| CVE-2020-1753 | unknown | — | — | 5y ago | A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubern… | |||
| CVE-2020-1739 | unknown | — | — | 5y ago | A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to oth… | |||
| CVE-2020-25628 | unknown | — | — | 5y ago | Cross site-scripting (XSS) moodle | |||
| CVE-2020-25702 | unknown | — | — | 5y ago | Cross-site Scripting (XSS) in moodle | |||
| CVE-2020-25699 | unknown | — | — | 5y ago | Privilage Escalation in moodle | |||
| CVE-2020-25701 | unknown | — | — | 5y ago | Privilage Escalation in moodle | |||
| CVE-2020-25698 | unknown | — | — | 5y ago | Improper Access Control in moodle | |||
| CVE-2020-25700 | unknown | — | — | 5y ago | SQL Injection in moodle | |||
| CVE-2020-24392 | unknown | — | — | 5y ago | In voloko twitter-stream 0.1.10, missing TLS hostname validation allows an attacker to perform a man-in-the-middle attack against users of the library (because eventmachine is misused). | |||
| CVE-2020-8298 | unknown | — | — | 5y ago | Command injection in fs-path | |||
| CVE-2020-8908 | unknown | — | — | 5y ago | Information Disclosure in Guava | |||
| CVE-2020-13757 | unknown | — | — | 5y ago | Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application use… | |||
| CVE-2020-25626 | unknown | — | — | 5y ago | A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come … | |||
| CVE-2020-35681 | unknown | — | — | 5y ago | Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler class, used for handling HTTP type reques… | |||
| CVE-2020-7785 | unknown | — | — | 5y ago | Command injection in node-ps | |||
| CVE-2020-28426 | unknown | — | — | 5y ago | Command injection in kill-process-on-port | |||
| CVE-2020-28273 | unknown | — | — | 5y ago | Prototype pollution in set-in | |||
| CVE-2020-7014 | unknown | — | — | 5y ago | Privilege Escalation Flaw in Elasticsearch | |||
| CVE-2020-7020 | unknown | — | — | 5y ago | Privilege Context Switching Error in Elasticsearch | |||
| CVE-2020-17551 | unknown | — | — | 5y ago | Cross-site scripting (XSS) | |||
| CVE-2020-13959 | unknown | — | — | 5y ago | Cross-site scripting (XSS) in Apache Velocity Tools | |||
| CVE-2020-27223 | unknown | — | — | 5y ago | DOS vulnerability for Quoted Quality CSV headers | |||
| CVE-2020-28498 | unknown | — | — | 5y ago | The package elliptic before 6.5.4 are vulnerable to Cryptographic Issues via the secp256k1 implementation in elliptic/ec/key.js. There is no check to confirm that the public key point passed into the… | |||
| CVE-2020-28496 | unknown | — | — | 5y ago | This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i+… | |||
| CVE-2020-8902 | unknown | — | — | 5y ago | SSRF in Rendertron | |||
| CVE-2020-13697 | unknown | — | — | 5y ago | NanoHTTPD Cross-site Scripting vulnerability | |||
| CVE-2020-25649 | unknown | — | — | 5y ago | A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from t… | |||
| CVE-2020-35572 | unknown | — | — | 5y ago | vrana/adminer via XSS in the history parameter in SQL command | |||
| CVE-2020-26299 | unknown | — | — | 5y ago | File System Bounds Escape | |||
| CVE-2020-28494 | unknown | — | — | 5y ago | Command injection in total.js | |||
| CVE-2020-28495 | unknown | — | — | 5y ago | Prototype pollution in total.js | |||
| CVE-2020-8570 | unknown | — | — | 5y ago | Path Traversal in the Java Kubernetes Client | |||
| CVE-2020-26248 | unknown | — | — | 5y ago | Blind SQL injection in PrestaShop productcomments module | |||
| CVE-2020-28482 | unknown | — | — | 5y ago | Cross-site Request Forgery in fastify-csrf | |||
| CVE-2020-28477 | unknown | — | — | 5y ago | Prototype Pollution in immer | |||
| CVE-2020-28481 | unknown | — | — | 5y ago | CORS misconfiguration in socket.io | |||
| CVE-2020-28478 | unknown | — | — | 5y ago | Prototype pollution in gsap | |||
| CVE-2020-28480 | unknown | — | — | 5y ago | Prototype pollution in JointJS | |||
| CVE-2020-35124 | unknown | — | — | 6y ago | XSS vulnerability leveraged through referrers could allow un-authorized admin access in Mautic | |||
| CVE-2020-26253 | unknown | — | — | 6y ago | Kirby .dev domains and some reverse proxy setups were treated as local | |||
| CVE-2020-28042 | unknown | — | — | 6y ago | Signature validation bypass in ServiceStack | |||
| CVE-2020-7741 | unknown | — | — | 6y ago | XSS in hello.js | |||
| CVE-2020-7784 | unknown | — | — | 6y ago | Command injection in ts-process-promises | |||
| CVE-2020-7794 | unknown | — | — | 6y ago | Command injection in buns | |||
| CVE-2020-13922 | unknown | — | — | 6y ago | Incorrect Default Permissions in Apache DolphinScheduler | |||
| CVE-2020-26298 | unknown | — | — | 6y ago | Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTM… | |||
| CVE-2020-28168 | unknown | — | — | 6y ago | Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host … | |||
| CVE-2020-26293 | unknown | — | — | 6y ago | XSS in HtmlSanitizer | |||
| CVE-2020-36452 | unknown | — | — | 6y ago | `FixedCapacityDequeLike::clone()` can cause dropping uninitialized memory | |||
| CVE-2020-36512 | unknown | — | — | 6y ago | InputStream::read_exact : `Read` on uninitialized buffer causes UB | |||
| CVE-2020-36511 | unknown | — | — | 6y ago | `read` on uninitialized buffer may cause UB (bite::read::BiteReadExpandedExt::read_framed_max) | |||
| CVE-2020-36210 | unknown | — | — | 6y ago | `impl Random` on arrays can lead to dropping uninitialized memory | |||
| CVE-2020-26291 | unknown | — | — | 6y ago | Hostname spoofing via backslashes in URL | |||
| CVE-2020-26296 | unknown | — | — | 6y ago | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulner… | |||
| CVE-2020-26247 | unknown | — | — | 6y ago | Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Noko… | |||
| CVE-2020-26288 | unknown | — | — | 6y ago | Parse Server stores password in plain text | |||
| CVE-2020-36514 | unknown | — | — | 6y ago | `Read` on uninitialized buffer in `fill_buf()` and `read_up_to()` |