CVEs from 2020
Total
3,803
critical
critical 206
high
high 563
medium
medium 744
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-12825 | medium | — | 5.5 | 6y ago | RHSA-2020:3654: libcroco security update (Moderate) | |||
| CVE-2020-7608 | medium | — | 5.5 | 6y ago | RHSA-2021:0548: nodejs:10 security update (Moderate) | |||
| CVE-2020-1574 | medium | 5.5 | 5.5 | 6y ago | A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitra… | |||
| CVE-2020-12402 | medium | — | 5.5 | 6y ago | During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perfo… | |||
| CVE-2020-8116 | medium | — | 5.5 | 6y ago | RHSA-2021:0548: nodejs:10 security update (Moderate) | |||
| CVE-2020-14309 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-14308 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-14310 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-14311 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-15705 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-15706 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-15707 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-10713 | medium | — | 5.5 | 6y ago | RHSA-2020:3219: kernel-rt security and bug fix update (Moderate) | |||
| CVE-2020-15780 | medium | — | 5.5 | 6y ago | An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot… | |||
| CVE-2020-1983 | medium | — | 5.5 | 6y ago | A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. | |||
| CVE-2020-10754 | medium | — | 5.5 | 6y ago | RHSA-2020:3011: NetworkManager security and bug fix update (Moderate) | |||
| CVE-2020-15095 | medium | — | 5.5 | 6y ago | Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:… | |||
| CVE-2020-15368 | medium | 5.5 | 5.5 | 6y ago | AsrDrv103.sys in the ASRock RGB Driver does not properly restrict access from user space, as demonstrated by triggering a triple fault via a request to zero CR3. | |||
| CVE-2020-13112 | medium | — | 5.5 | 6y ago | RHSA-2020:2550: libexif security update (Moderate) | |||
| CVE-2020-13596 | medium | — | 5.5 | 6y ago | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility … | |||
| CVE-2020-13254 | medium | — | 5.5 | 6y ago | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collis… | |||
| CVE-2020-9547 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-10673 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-9548 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-11501 | medium | — | 5.5 | 6y ago | RHSA-2020:1998: gnutls security update (Moderate) | |||
| CVE-2020-1702 | medium | — | 5.5 | 6y ago | RHSA-2020:1650: container-tools:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-5395 | medium | — | 5.5 | 6y ago | RHSA-2020:4844: fontforge security update (Moderate) | |||
| CVE-2020-10672 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-10663 | medium | — | 5.5 | 6y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-8840 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-1935 | medium | — | 5.5 | 6y ago | In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as va… | |||
| CVE-2020-7595 | medium | — | 5.5 | 6y ago | RHSA-2020:4479: libxml2 security update (Moderate) | |||
| CVE-2020-7471 | medium | — | 5.5 | 6y ago | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data … | |||
| CVE-2020-25900 | medium | 5.3 | 5.3 | 2h ago | HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client … | |||
| CVE-2020-37241 | medium | 5.3 | 5.3 | 20d ago | bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can… | |||
| CVE-2020-8927 | medium | 5.3 | 5.3 | 5y ago | RHSA-2022:0830: .NET 5.0 security and bugfix update (Important) | |||
| CVE-2020-26146 | medium | 5.3 | 5.3 | 5y ago | An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfi… | |||
| CVE-2020-27283 | medium | 5.3 | 5.3 | 6y ago | An attacker could send a specially crafted message to Crimson 3.1 (Build versions prior to 3119.001) that could leak arbitrary memory locations. | |||
| CVE-2020-7549 | medium | 5.3 | 5.3 | 6y ago | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication … | |||
| CVE-2020-29372 | medium | 4.7 | 4.7 | 6y ago | An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1… | |||
| CVE-2020-37217 | medium | 4.3 | 4.3 | 23d ago | Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attack… | |||
| CVE-2020-7568 | medium | 4.3 | 4.3 | 6y ago | A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon M221 (all references, all versions) that could allow non sensitive information disclosure when th… | |||
| CVE-2020-8166 | medium | 4.3 | 4.3 | 6y ago | Ability to forge per-form CSRF tokens in Rails | |||
| CVE-2020-8561 | medium | 4.1 | 4.1 | 5y ago | A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver re… | |||
| CVE-2020-9488 | low | 3.7 | 3.7 | 6y ago | Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log mess… | |||
| CVE-2020-7656 | low | — | 3.5 | 6y ago | RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) | |||
| CVE-2020-12823 | low | — | 2.5 | — | OpenConnect 8.09 has a buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c. | |||
| CVE-2020-22026 | low | — | 2.5 | — | Buffer Overflow vulnerability exists in FFmpeg 4.2 in the config_input function at libavfilter/af_tremolo.c, which could let a remote malicious user cause a Denial of Service. | |||
| CVE-2020-35112 | low | — | 2.5 | — | If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an … | |||
| CVE-2020-16121 | low | — | 2.5 | — | PackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own. | |||
| CVE-2020-24823 | low | — | 2.5 | — | A vulnerability in the dwarf::to_string function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-22024 | low | — | 2.5 | — | Buffer Overflow vulnerability in FFmpeg 4.2 at the lagfun_frame16 function in libavfilter/vf_lagfun.c, which could let a remote malicious user cause Denial of Service. | |||
| CVE-2020-24826 | low | — | 2.5 | — | A vulnerability in the elf::section::as_strtab function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-35501 | low | — | 2.5 | — | A flaw was found in the Linux kernels implementation of audit rules, where a syscall can unexpectedly not be correctly not be logged by the audit subsystem | |||
| CVE-2020-14196 | low | — | 2.5 | — | In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. | |||
| CVE-2020-24821 | low | — | 2.5 | — | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-24827 | low | — | 2.5 | — | A vulnerability in the dwarf::cursor::skip_form function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-9359 | low | — | 2.5 | — | KDE Okular before 1.10.0 allows code execution via an action link in a PDF document. | |||
| CVE-2020-12755 | low | — | 2.5 | — | fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0 makes a cacheAuthentication call even if the user had not set the keepPassword option. This may lead to unintended… | |||
| CVE-2020-20448 | low | — | 2.5 | — | FFmpeg 4.1.3 is affected by a Divide By Zero issue via libavcodec/ratecontrol.c, which allows a remote malicious user to cause a Denial of Service. | |||
| CVE-2020-29562 | low | — | 2.5 | — | The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, … | |||
| CVE-2020-28030 | low | — | 2.5 | — | In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was addressed in epan/dissectors/packet-gquic.c by correcting the implementation of offset advancement. | |||
| CVE-2020-18974 | low | — | 2.5 | — | Buffer Overflow in Netwide Assembler (NASM) v2.15.xx allows attackers to cause a denial of service via 'crc64i' in the component 'nasmlib/crc64'. This issue is different than CVE-2019-7147. | |||
| CVE-2020-15466 | low | — | 2.5 | — | In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infinite loop. This was addressed in epan/dissectors/packet-gvcp.c by ensuring that an offset increases in all situations. | |||
| CVE-2020-27673 | low | — | 2.5 | — | An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. Guest OS users can cause a denial of service (host OS hang) via a high rate of events to dom0, aka CID-e995… | |||
| CVE-2020-11867 | low | — | 2.5 | — | Audacity through 2.3.3 saves temporary files to /var/tmp/audacity-$USER by default. After Audacity creates the temporary directory, it sets its permissions to 755. Any user on the system can read and… | |||
| CVE-2020-25691 | low | — | 2.5 | — | denial of service in darkhttpd | |||
| CVE-2020-18773 | low | — | 2.5 | — | An invalid memory access in the decode function in iptc.cpp of Exiv2 0.27.99.0 allows attackers to cause a denial of service (DOS) via a crafted tif file. | |||
| CVE-2020-18774 | low | — | 2.5 | — | A float point exception in the printLong function in tags_int.cpp of Exiv2 0.27.99.0 allows attackers to cause a denial of service (DOS) via a crafted tif file. | |||
| CVE-2020-27837 | low | — | 2.5 | — | A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessin… | |||
| CVE-2020-22028 | low | — | 2.5 | — | Buffer Overflow vulnerability exists in FFmpeg 4.2 in filter_vertically_8 at libavfilter/vf_avgblur.c, which could cause a remote Denial of Service. | |||
| CVE-2020-35450 | low | — | 2.5 | — | Gobby 0.4.11 allows a NULL pointer dereference in the D-Bus handler for certain set_language calls. | |||
| CVE-2020-24822 | low | — | 2.5 | — | A vulnerability in the dwarf::cursor::uleb function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-27675 | low | — | 2.5 | — | An issue was discovered in the Linux kernel through 5.9.1, as used with Xen through 4.14.x. drivers/xen/events/events_base.c allows event-channel removal during the event-handling loop (a race condit… | |||
| CVE-2020-24825 | low | — | 2.5 | — | A vulnerability in the line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS) through a segmentation fault via a crafted ELF file. | |||
| CVE-2020-25639 | low | — | 2.5 | — | A NULL pointer dereference flaw was found in the Linux kernel's GPU Nouveau driver functionality in versions prior to 5.12-rc1 in the way the user calls ioctl DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC. This fl… | |||
| CVE-2020-24824 | low | — | 2.5 | — | A global buffer overflow issue in the dwarf::line_table::line_table function of Libelfin v0.3 allows attackers to cause a denial of service (DOS). | |||
| CVE-2020-24363 | unknown | — | 2.5 | 9mo ago | TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST … | |||
| CVE-2020-2883 | unknown | — | 2.5 | 1y ago | Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3. | |||
| CVE-2020-0618 | unknown | — | 2.5 | 2y ago | Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in t… | |||
| CVE-2020-21710 | low | — | 2.5 | 2y ago | RHSA-2024:2966: ghostscript security update (Low) | |||
| CVE-2020-5741 | unknown | — | 2.5 | 3y ago | Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload featur… | |||
| CVE-2020-23903 | low | — | 2.5 | 4y ago | Low: speex security update | |||
| CVE-2020-3433 | unknown | — | 2.5 | 4y ago | Cisco AnyConnect Secure Mobility Client for Windows interprocess communication (IPC) channel allows for insufficient validation of resources that are loaded by the application at run time. An attacke… | |||
| CVE-2020-3153 | unknown | — | 2.5 | 4y ago | Cisco AnyConnect Secure Mobility Client for Windows allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary … | |||
| CVE-2020-9934 | unknown | — | 2.5 | 4y ago | Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information. | |||
| CVE-2020-0601 | unknown | — | 2.5 | 4y ago | Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by usin… | |||
| CVE-2020-3837 | unknown | — | 2.5 | 4y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-13950 | low | — | 2.5 | 4y ago | Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, le… | |||
| CVE-2020-22083 | low | — | 2.5 | 4y ago | ** DISPUTED ** jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and cl… | |||
| CVE-2020-16846 | unknown | — | 2.5 | 4y ago | SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users runnin… | |||
| CVE-2020-11651 | unknown | — | 2.5 | 4y ago | SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some m… | |||
| CVE-2020-11652 | unknown | — | 2.5 | 4y ago | SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security … | |||
| CVE-2020-7961 | unknown | — | 2.5 | 4y ago | Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services. | |||
| CVE-2020-17489 | low | — | 2.5 | 4y ago | RHSA-2022:1814: gnome-shell security and bug fix update (Low) | |||
| CVE-2020-25223 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. | |||
| CVE-2020-0796 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerabili… | |||
| CVE-2020-17530 | unknown | — | 2.5 | 4y ago | Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution. | |||
| CVE-2020-0787 | unknown | — | 2.5 | 4y ago | Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-l… | |||
| CVE-2020-5722 | unknown | — | 2.5 | 4y ago | Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root. |