CVEs from 2020
Total
3,794
critical
critical 206
high
high 563
medium
medium 744
low
low 60
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36513 | unknown | — | — | 6y ago | `Read` on uninitialized buffer in `fill_buf()` and `read_up_to()` | |||
| CVE-2020-36463 | unknown | — | — | 6y ago | Queues allow non-Send types to be sent to other threads, allowing data races | |||
| CVE-2020-26282 | unknown | — | — | 6y ago | Server-Side Template Injection | |||
| CVE-2020-26289 | unknown | — | — | 6y ago | regular expression denial of service (ReDoS) | |||
| CVE-2020-36220 | unknown | — | — | 6y ago | `Demuxer` can carry non-Send types across thread boundaries | |||
| CVE-2020-36208 | unknown | — | — | 6y ago | conquer-once's OnceCell lacks Send bound for its Sync trait. | |||
| CVE-2020-26263 | unknown | — | — | 6y ago | tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding c… | |||
| CVE-2020-26258 | unknown | — | — | 6y ago | Server-Side Forgery Request can be activated unmarshalling with XStream | |||
| CVE-2020-26259 | unknown | — | — | 6y ago | XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling | |||
| CVE-2020-26227 | unknown | — | — | 6y ago | Cross-Site Scripting in Fluid view helpers | |||
| CVE-2020-7789 | unknown | — | — | 6y ago | OS Command Injection in node-notifier | |||
| CVE-2020-36213 | unknown | — | — | 6y ago | Update unsound DrainFilter and RString::retain | |||
| CVE-2020-36212 | unknown | — | — | 6y ago | Update unsound DrainFilter and RString::retain | |||
| CVE-2020-36216 | unknown | — | — | 6y ago | Soundness issue: Input<R> can be misused to create data race to an object | |||
| CVE-2020-36214 | unknown | — | — | 6y ago | Queues allow non-Send types to be sent to other threads, allowing data races | |||
| CVE-2020-26870 | unknown | — | — | 6y ago | Cross-site Scripting in dompurify | |||
| CVE-2020-26280 | unknown | — | — | 6y ago | OpenSlides is a free, Web-based presentation and assembly system for managing and projecting agenda, motions, and elections of assemblies. OpenSlides version 3.2, due to unsufficient user input valid… | |||
| CVE-2020-35460 | unknown | — | — | 6y ago | MPXJ path Traversal vulnerability | |||
| CVE-2020-35149 | unknown | — | — | 6y ago | Code Injection in mquery | |||
| CVE-2020-28440 | unknown | — | — | 6y ago | Command Injection in corenlp-js-interface | |||
| CVE-2020-36449 | unknown | — | — | 6y ago | ShmWriter allows sending non-Send type across threads | |||
| CVE-2020-36472 | unknown | — | — | 6y ago | ImmediateIO and TransactionalIO can cause data races | |||
| CVE-2020-36218 | unknown | — | — | 6y ago | ButtplugFutureStateShared allows data race to (!Send|!Sync) objects | |||
| CVE-2020-36447 | unknown | — | — | 6y ago | SyncRef's clone() and debug() allow data races | |||
| CVE-2020-36206 | unknown | — | — | 6y ago | UsbContext trait did not require implementers to be Send and Sync. | |||
| CVE-2020-17513 | unknown | — | — | 6y ago | In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | |||
| CVE-2020-17511 | unknown | — | — | 6y ago | In Airflow versions prior to 1.10.13, when creating a user using airflow CLI, the password gets logged in plain text in the Log table in Airflow Metadatase. Same happened when creating a Connection w… | |||
| CVE-2020-7781 | unknown | — | — | 6y ago | Command injection in connection-tester | |||
| CVE-2020-28458 | unknown | — | — | 6y ago | datatables.net vulnerable to Prototype Pollution due to incomplete fix | |||
| CVE-2020-26281 | unknown | — | — | 6y ago | Async-h1 request smuggling possible with long unread bodies | |||
| CVE-2020-36470 | unknown | — | — | 6y ago | RingBuffer can create multiple mutable references and cause data races | |||
| CVE-2020-36202 | unknown | — | — | 6y ago | Async-h1 request smuggling possible with long unread bodies | |||
| CVE-2020-26274 | unknown | — | — | 6y ago | In systeminformation (npm package) before version 4.31.1 there is a command injection vulnerability. The problem was fixed in version 4.31.1 with a shell string sanitation fix. | |||
| CVE-2020-7791 | unknown | — | — | 6y ago | Denial of Service in i18n | |||
| CVE-2020-36205 | unknown | — | — | 6y ago | An issue was discovered in the xcb crate through 2020-12-10 for Rust. base::Error does not have soundness. Because of the public ptr field, a use-after-free or double-free can occur. | |||
| CVE-2020-36467 | unknown | — | — | 6y ago | Multiple soundness issues in `Ptr` | |||
| CVE-2020-36207 | unknown | — | — | 6y ago | Aovec<T> lacks bound on its Send and Sync traits allowing data races | |||
| CVE-2020-36466 | unknown | — | — | 6y ago | Multiple soundness issues in `Ptr` | |||
| CVE-2020-36468 | unknown | — | — | 6y ago | Multiple soundness issues in `Ptr` | |||
| CVE-2020-36461 | unknown | — | — | 6y ago | MvccRwLock allows data races & aliasing violations | |||
| CVE-2020-35711 | unknown | — | — | 6y ago | An issue has been discovered in the arc-swap crate before 0.4.8 (and 1.x before 1.1.0) for Rust. Use of arc_swap::access::Map with the Constant test helper (or with a user-supplied implementation of … | |||
| CVE-2020-26261 | unknown | — | — | 6y ago | jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are sp… | |||
| CVE-2020-36459 | unknown | — | — | 6y ago | dces' World type can cause data races | |||
| CVE-2020-35926 | unknown | — | — | 6y ago | nanorand 0.5.0 - RNGs failed to generate properly for non-64-bit numbers | |||
| CVE-2020-26249 | unknown | — | — | 6y ago | Red Discord Bot Dashboard is an easy-to-use interactive web dashboard to control your Redbot. In Red Discord Bot before version 0.1.7a an RCE exploit has been discovered. This exploit allows Discord … | |||
| CVE-2020-26234 | unknown | — | — | 6y ago | Disabled Hostname Verification in Opencast | |||
| CVE-2020-26256 | unknown | — | — | 6y ago | Denial of service in fast-csv | |||
| CVE-2020-26255 | unknown | — | — | 6y ago | Kirby Panel users could upload PHP Phar archives as content files before v2.5.14 and v3.4.5 | |||
| CVE-2020-36211 | unknown | — | — | 6y ago | ImageChunkMut needs bounds on its Send and Sync traits | |||
| CVE-2020-36438 | unknown | — | — | 6y ago | Future<T> lacks bounds on Send and Sync. | |||
| CVE-2020-35927 | unknown | — | — | 6y ago | Thex<T> allows data races of non-Send types across threads | |||
| CVE-2020-36444 | unknown | — | — | 6y ago | ArcGuard's Send and Sync should have bounds on RC | |||
| CVE-2020-26254 | unknown | — | — | 6y ago | omniauth-apple allows attacker to fake their email address during authentication | |||
| CVE-2020-35923 | unknown | — | — | 6y ago | ordered_float:NotNan may contain NaN after panic in assignment operators | |||
| CVE-2020-26244 | unknown | — | — | 6y ago | Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The iss… | |||
| CVE-2020-27218 | unknown | — | — | 6y ago | Buffer not correctly recycled in Gzip Request inflation | |||
| CVE-2020-26250 | unknown | — | — | 6y ago | OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which s… | |||
| CVE-2020-36203 | unknown | — | — | 6y ago | Unsound: can make `ARefss` contain a !Send, !Sync object. | |||
| CVE-2020-35925 | unknown | — | — | 6y ago | MPMCConsumer/Producer allows sending non-Send type across threads | |||
| CVE-2020-35918 | unknown | — | — | 6y ago | Unexpected panic when decoding tokens | |||
| CVE-2020-36462 | unknown | — | — | 6y ago | Send bound needed on T (for Send impl of `Bucket2`) | |||
| CVE-2020-35917 | unknown | — | — | 6y ago | Reference counting error in `From<Py<T>>` | |||
| CVE-2020-26245 | unknown | — | — | 6y ago | npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper poll… | |||
| CVE-2020-26243 | unknown | — | — | 6y ago | Memory leak in Nanopb | |||
| CVE-2020-26238 | unknown | — | — | 6y ago | Template injection in cron-utils | |||
| CVE-2020-26237 | unknown | — | — | 6y ago | Highlight.js vulnerability | |||
| CVE-2020-26232 | unknown | — | — | 6y ago | Jupyter Server before version 1.0.6 has an Open redirect vulnerability. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are techn… | |||
| CVE-2020-36448 | unknown | — | — | 6y ago | Cache<K>: Send/Sync impls needs trait bounds on `K` | |||
| CVE-2020-36437 | unknown | — | — | 6y ago | QueueSender<T>/QueueReceiver<T>: Send/Sync impls need `T: Send` | |||
| CVE-2020-36445 | unknown | — | — | 6y ago | convec::ConVec<T> unconditionally implements Send/Sync | |||
| CVE-2020-26229 | unknown | — | — | 6y ago | XML External Entity in Dashboard Widget | |||
| CVE-2020-26228 | unknown | — | — | 6y ago | Cleartext storage of session identifier | |||
| CVE-2020-26231 | unknown | — | — | 6y ago | Bypass of fix for CVE-2020-15247, Twig sandbox escape | |||
| CVE-2020-15247 | unknown | — | — | 6y ago | Twig Sandbox Escape by authenticated users with access to editing CMS templates when safemode is enabled. | |||
| CVE-2020-15246 | unknown | — | — | 6y ago | Local File Inclusion by unauthenticated users | |||
| CVE-2020-15249 | unknown | — | — | 6y ago | Stored XSS by authenticated backend user with access to upload files | |||
| CVE-2020-15248 | unknown | — | — | 6y ago | Privilege escalation by backend users assigned to the default "Publisher" system role | |||
| CVE-2020-26226 | unknown | — | — | 6y ago | Secret disclosure when containing characters that become URI encoded | |||
| CVE-2020-26215 | unknown | — | — | 6y ago | Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are t… | |||
| CVE-2020-26216 | unknown | — | — | 6y ago | Cross-Site Scripting through Fluid view helper arguments | |||
| CVE-2020-26235 | unknown | — | — | 6y ago | In Rust time crate from version 0.2.7 and before version 0.2.23, unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires the user to … | |||
| CVE-2020-35924 | unknown | — | — | 6y ago | TryMutex<T> allows sending non-Send type across threads | |||
| CVE-2020-36455 | unknown | — | — | 6y ago | Slock<T> allows sending non-Send types across thread boundaries | |||
| CVE-2020-36439 | unknown | — | — | 6y ago | ReadTicket and WriteTicket should only be sendable when T is Send | |||
| CVE-2020-26225 | unknown | — | — | 6y ago | Reflected XSS with parameters in PostComment | |||
| CVE-2020-26217 | unknown | — | — | 6y ago | XStream can be used for Remote Code Execution | |||
| CVE-2020-36471 | unknown | — | — | 6y ago | An issue was discovered in the generator crate before 0.7.0 for Rust. It does not ensure that a function (for yielding values) has Send bounds. | |||
| CVE-2020-36435 | unknown | — | — | 6y ago | Singleton lacks bounds on Send and Sync. | |||
| CVE-2020-36453 | unknown | — | — | 6y ago | Queue<T> should have a Send bound on its Send/Sync traits | |||
| CVE-2020-36456 | unknown | — | — | 6y ago | CopyCell lacks bounds on its Send trait allowing for data races | |||
| CVE-2020-36446 | unknown | — | — | 6y ago | SyncChannel<T> can move 'T: !Send' to other threads | |||
| CVE-2020-36436 | unknown | — | — | 6y ago | PinSlab<T> and Unordered<T, S> need bounds on their Send/Sync traits | |||
| CVE-2020-36469 | unknown | — | — | 6y ago | Data race and memory safety issue in `Index` | |||
| CVE-2020-36451 | unknown | — | — | 6y ago | Send/Sync bound needed on T for Send/Sync impl of RcuCell<T> | |||
| CVE-2020-36454 | unknown | — | — | 6y ago | `LockWeak<T>` allows to create data race to `T`. | |||
| CVE-2020-35921 | unknown | — | — | 6y ago | An issue was discovered in the miow crate before 0.3.6 for Rust. It has false expectations about the std::net::SocketAddr memory representation. | |||
| CVE-2020-26222 | unknown | — | — | 6y ago | Remote code execution in dependabot-core branch names when cloning | |||
| CVE-2020-35928 | unknown | — | — | 6y ago | Send/Sync bound needed on V in `impl Send/Sync for ARCache<K, V>` | |||
| CVE-2020-26223 | unknown | — | — | 6y ago | Authorization bypass in Spree | |||
| CVE-2020-35916 | unknown | — | — | 6y ago | An issue was discovered in the image crate before 0.23.12 for Rust. A Mutable reference has immutable provenance. (In the case of LLVM, the IR may be always correct.) |