CVEs from 2020
Total
3,794
critical
critical 206
high
high 563
medium
medium 744
low
low 60
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-13670 | unknown | — | — | 6y ago | Exposure of Resource to Wrong Sphere in Drupal Core | |||
| CVE-2020-13667 | unknown | — | — | 6y ago | Drupal Core Access bypass vulnerability | |||
| CVE-2020-13669 | unknown | — | — | 6y ago | Drupal core Cross-site Scripting (XSS) vulnerability in ckeditor | |||
| CVE-2020-13688 | unknown | — | — | 6y ago | Drupal Core Cross-site scripting vulnerability | |||
| CVE-2020-13666 | unknown | — | — | 6y ago | Drupal Core Cross-site scripting vulnerability | |||
| CVE-2020-15148 | unknown | — | — | 6y ago | Unsafe deserialization in Yii 2 | |||
| CVE-2020-15178 | unknown | — | — | 6y ago | Potential XSS injection In PrestaShop contactform | |||
| CVE-2020-7720 | unknown | — | — | 6y ago | The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: Version 0.10.0 is a breaking change removing the vulnerable functions. | |||
| CVE-2020-15171 | unknown | — | — | 6y ago | Users with SCRIPT right can execute arbitrary code in XWiki | |||
| CVE-2020-15168 | unknown | — | — | 6y ago | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get throw… | |||
| CVE-2020-24660 | unknown | — | — | 6y ago | An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. An attacker may bypass URL-based access control to protected Virtual Hosts by submitting a non-normalized URI. This also af… | |||
| CVE-2020-15163 | unknown | — | — | 6y ago | Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This al… | |||
| CVE-2020-15169 | unknown | — | — | 6y ago | In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default… | |||
| CVE-2020-25794 | unknown | — | — | 6y ago | An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, clone can have a memory-safety issue upon a panic. | |||
| CVE-2020-25796 | unknown | — | — | 6y ago | An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the InlineArray implementation, an unaligned reference may be generated for a type that has a large alignment requirement. | |||
| CVE-2020-25793 | unknown | — | — | 6y ago | An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From<InlineArray<A, T>>. | |||
| CVE-2020-25792 | unknown | — | — | 6y ago | An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair(). | |||
| CVE-2020-25791 | unknown | — | — | 6y ago | An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit(). | |||
| CVE-2020-25795 | unknown | — | — | 6y ago | An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, insert_from can have a memory-safety issue upon a panic. | |||
| CVE-2020-36649 | unknown | — | — | 6y ago | A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regula… | |||
| CVE-2020-13110 | unknown | — | — | 6y ago | DLL Injection in kerberos | |||
| CVE-2020-35906 | unknown | — | — | 6y ago | An issue was discovered in the futures-task crate before 0.3.6 for Rust. futures_task::waker may cause a use-after-free in a non-static type situation. | |||
| CVE-2020-12265 | unknown | — | — | 6y ago | Path Traversal in decompress | |||
| CVE-2020-7618 | unknown | — | — | 6y ago | Prototype Pollution in sds | |||
| CVE-2020-8147 | unknown | — | — | 6y ago | Prototype Pollution | |||
| CVE-2020-8135 | unknown | — | — | 6y ago | Server-Side Request Forgery in @uppy/companion | |||
| CVE-2020-35892 | unknown | — | — | 6y ago | `index()` allows out-of-bound read and `remove()` has off-by-one error | |||
| CVE-2020-35891 | unknown | — | — | 6y ago | Memory safety issues in `compact::Vec` | |||
| CVE-2020-35894 | unknown | — | — | 6y ago | Obstack generates unaligned references | |||
| CVE-2020-35893 | unknown | — | — | 6y ago | `index()` allows out-of-bound read and `remove()` has off-by-one error | |||
| CVE-2020-35890 | unknown | — | — | 6y ago | Memory safety issues in `compact::Vec` | |||
| CVE-2020-25026 | unknown | — | — | 6y ago | Information Disclosure in TYPO3 extension sf_event_mgt | |||
| CVE-2020-15094 | unknown | — | — | 6y ago | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… | |||
| CVE-2020-8244 | unknown | — | — | 6y ago | A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can becom… | |||
| CVE-2020-35889 | unknown | — | — | 6y ago | Misbehaving `HandleLike` implementation can lead to memory safety violation | |||
| CVE-2020-15159 | unknown | — | — | 6y ago | Cross Site Scripting and RCE in baserCMS | |||
| CVE-2020-15155 | unknown | — | — | 6y ago | Cross Site Scripting(XSS) Vulnerability in Latest Release 4.3.6 Site basic settings | |||
| CVE-2020-15154 | unknown | — | — | 6y ago | Cross Site Scripting in baserCMS | |||
| CVE-2020-15156 | unknown | — | — | 6y ago | XSS due to lack of CSRF validation for replying/publishing | |||
| CVE-2020-7710 | unknown | — | — | 6y ago | Sandbox Breakout / Arbitrary Code Execution in safe-eval | |||
| CVE-2020-36433 | unknown | — | — | 6y ago | Chunk API does not respect align requirement | |||
| CVE-2020-36432 | unknown | — | — | 6y ago | Matrix::new() drops uninitialized memory | |||
| CVE-2020-35888 | unknown | — | — | 6y ago | Multiple security issues including data race, buffer overflow, and uninitialized memory drop | |||
| CVE-2020-35887 | unknown | — | — | 6y ago | Multiple security issues including data race, buffer overflow, and uninitialized memory drop | |||
| CVE-2020-35886 | unknown | — | — | 6y ago | Multiple security issues including data race, buffer overflow, and uninitialized memory drop | |||
| CVE-2020-15147 | unknown | — | — | 6y ago | Red Discord Bot before versions 3.3.12 and 3.4 has a Remote Code Execution vulnerability in the Streams module. This exploit allows Discord users with specifically crafted "going live" messages to in… | |||
| CVE-2020-15140 | unknown | — | — | 6y ago | In Red Discord Bot before version 3.3.11, a RCE exploit has been discovered in the Trivia module: this exploit allows Discord users with specifically crafted usernames to inject code into the Trivia … | |||
| CVE-2020-6173 | unknown | — | — | 6y ago | TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolled Resource Consumption. | |||
| CVE-2020-6174 | unknown | — | — | 6y ago | TUF (aka The Update Framework) through 0.12.1 has Improper Verification of a Cryptographic Signature. | |||
| CVE-2020-7689 | unknown | — | — | 6y ago | Integer Overflow or Wraparound and Use of a Broken or Risky Cryptographic Algorithm in bcrypt | |||
| CVE-2020-15142 | unknown | — | — | 6y ago | In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbit… | |||
| CVE-2020-15141 | unknown | — | — | 6y ago | In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files t… | |||
| CVE-2020-35885 | unknown | — | — | 6y ago | StrcCtx deallocates a memory region that it doesn't own | |||
| CVE-2020-15119 | unknown | — | — | 6y ago | DOM-based XSS in auth0-lock | |||
| CVE-2020-15143 | unknown | — | — | 6y ago | Remote Code Execution in SyliusResourceBundle | |||
| CVE-2020-15146 | unknown | — | — | 6y ago | Remote Code Execution in SyliusResourceBundle | |||
| CVE-2020-15151 | unknown | — | — | 6y ago | Observable Timing Discrepancy in OpenMage LTS | |||
| CVE-2020-12480 | unknown | — | — | 6y ago | CSRF in Play Framework | |||
| CVE-2020-35883 | unknown | — | — | 6y ago | Missing sanitization in mozwire allows local file overwrite of files ending in .conf | |||
| CVE-2020-15152 | unknown | — | — | 6y ago | Server-Side Request Forgery in ftp-srv | |||
| CVE-2020-8205 | unknown | — | — | 6y ago | Server-Side Request Forgery in @uppy/companion | |||
| CVE-2020-7660 | unknown | — | — | 6y ago | Insecure serialization leading to RCE in serialize-javascript | |||
| CVE-2020-12648 | unknown | — | — | 6y ago | Cross-site scripting vulnerability in TinyMCE | |||
| CVE-2020-15138 | unknown | — | — | 6y ago | Prism is vulnerable to Cross-Site Scripting. The easing preview of the Previewers plugin has an XSS vulnerability that allows attackers to execute arbitrary code in Safari and Internet Explorer. This… | |||
| CVE-2020-15132 | unknown | — | — | 6y ago | Reset Password / Login vulnerability in Sulu | |||
| CVE-2020-8192 | unknown | — | — | 6y ago | Denial of service in fastify | |||
| CVE-2020-7699 | unknown | — | — | 6y ago | Prototype Pollution in express-fileupload | |||
| CVE-2020-5413 | unknown | — | — | 6y ago | Code execution in Spring Integration | |||
| CVE-2020-15128 | unknown | — | — | 6y ago | Reliance on Cookies without validation in OctoberCMS | |||
| CVE-2020-11083 | unknown | — | — | 6y ago | Stored XSS in October | |||
| CVE-2020-13921 | unknown | — | — | 6y ago | SQL Injection in Apache SkyWalking | |||
| CVE-2020-15135 | unknown | — | — | 6y ago | CSRF vulnerability in save-server | |||
| CVE-2020-16254 | unknown | — | — | 6y ago | CSS Injection in Chartkick gem | |||
| CVE-2020-16253 | unknown | — | — | 6y ago | PgHero gem allows CSRF | |||
| CVE-2020-15109 | unknown | — | — | 6y ago | Ability to change order address without triggering address validations in solidus | |||
| CVE-2020-16252 | unknown | — | — | 6y ago | Field Test CSRF vulnerability | |||
| CVE-2020-16095 | unknown | — | — | 6y ago | Cross-site Scripting vulnerability in Kitodo.Presentation | |||
| CVE-2020-15134 | unknown | — | — | 6y ago | Faye before version 1.4.0, there is a lack of certification validation in TLS handshakes. Faye uses em-http-request and faye-websocket in the Ruby version of its client. Those libraries both use the … | |||
| CVE-2020-15133 | unknown | — | — | 6y ago | In faye-websocket before version 0.11.0, there is a lack of certification validation in TLS handshakes. The `Faye::WebSocket::Client` class uses the `EM::Connection#start_tls` method in EventMachine … | |||
| CVE-2020-15131 | unknown | — | — | 6y ago | False-positive validity for NFT1 genesis transactions | |||
| CVE-2020-15130 | unknown | — | — | 6y ago | False-positive validity for NFT1 genesis transactions in SLPJS | |||
| CVE-2020-13822 | unknown | — | — | 6y ago | The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact… | |||
| CVE-2020-11994 | unknown | — | — | 6y ago | Server side template injection in Apache Camel | |||
| CVE-2020-15515 | unknown | — | — | 6y ago | Remote code execution in turn extension for TYPO3 | |||
| CVE-2020-15513 | unknown | — | — | 6y ago | Incorrect access control in typo3_forum | |||
| CVE-2020-7686 | unknown | — | — | 6y ago | Directory traversal in rollup-plugin-server | |||
| CVE-2020-7695 | unknown | — | — | 6y ago | Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF sequences are not escaped in the value of HTTP headers. Attackers can exploit this to add arbitrary headers to HTTP responses, or … | |||
| CVE-2020-7694 | unknown | — | — | 6y ago | This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour … | |||
| CVE-2020-7683 | unknown | — | — | 6y ago | Directory traversal in rollup-plugin-server | |||
| CVE-2020-7685 | unknown | — | — | 6y ago | Insecure defaults in UmbracoForms | |||
| CVE-2020-15125 | unknown | — | — | 6y ago | Authorization header is not sanitized in an error object in auth0 | |||
| CVE-2020-15099 | unknown | — | — | 6y ago | Exposure of Sensitive Information to an Unauthorized Actor in TYPO3 CMS | |||
| CVE-2020-15098 | unknown | — | — | 6y ago | Missing Required Cryptographic Step Leading to Sensitive Information Disclosure in TYPO3 CMS | |||
| CVE-2020-15086 | unknown | — | — | 6y ago | Potential Remote Code Execution in TYPO3 with mediace extension | |||
| CVE-2020-1937 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13926 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13925 | unknown | — | — | 6y ago | Command Injection in Kylin | |||
| CVE-2020-10177 | unknown | — | — | 6y ago | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | |||
| CVE-2020-10379 | unknown | — | — | 6y ago | In Pillow before 7.1.0, there are two Buffer Overflows in libImaging/TiffDecode.c. | |||
| CVE-2020-10994 | unknown | — | — | 6y ago | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. |