CVEs from 2020
Total
3,811
critical
critical 206
high
high 563
medium
medium 743
low
low 59
% Critical
5.4%
% with KEV
3.8%
% with exploit
5.4%
Top vendors
- oracle 476
- schneider-electric 139
- siemens 103
- netapp 28
- arista 15
- rockwellautomation 9
- fasterxml 8
- kubernetes 8
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-6418 | high | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web… | |||
| CVE-2020-35730 | high | — | 9.5 | 3y ago | Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by lin… | |||
| CVE-2020-16017 | high | — | 9.5 | 6y ago | Google Chrome contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-16013 | high | — | 9.5 | 6y ago | Google Chromium V8 Engine contains an inappropriate implementation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could… | |||
| CVE-2020-6507 | high | — | 9.0 | — | Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-16040 | high | — | 9.0 | — | Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-15238 | high | — | 9.0 | — | Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depe… | |||
| CVE-2020-13379 | high | — | 9.0 | 4y ago | RHSA-2020:2641: grafana security update (Important) | |||
| CVE-2020-12352 | high | — | 9.0 | 6y ago | Improper access control in BlueZ may allow an unauthenticated user to potentially enable information disclosure via adjacent access. | |||
| CVE-2020-12351 | high | — | 9.0 | 6y ago | Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | |||
| CVE-2020-8617 | high | — | 9.0 | 6y ago | RHSA-2020:2338: bind security update (Important) | |||
| CVE-2020-37227 | high | 8.8 | 8.8 | 19d ago | HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can… | |||
| CVE-2020-7534 | high | 8.8 | 8.8 | 4y ago | A CWE-352: Cross-Site Request Forgery (CSRF) vulnerability exists on the web server used, that could cause a leak of sensitive data or unauthorized actions on the web server during the time the user … | |||
| CVE-2020-7564 | high | 8.8 | 8.8 | 6y ago | A CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their C… | |||
| CVE-2020-7563 | high | 8.8 | 8.8 | 6y ago | A CWE-787: Out-of-bounds Write vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details)… | |||
| CVE-2020-11113 | high | 8.8 | 8.8 | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11112 | high | 8.8 | 8.8 | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-37221 | high | 8.4 | 8.4 | 22d ago | Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Cloc… | |||
| CVE-2020-37244 | high | 8.2 | 8.2 | 19d ago | Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' p… | |||
| CVE-2020-37243 | high | 8.2 | 8.2 | 19d ago | Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl acti… | |||
| CVE-2020-37242 | high | 8.2 | 8.2 | 19d ago | Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parame… | |||
| CVE-2020-37218 | high | 8.2 | 8.2 | 22d ago | Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the … | |||
| CVE-2020-37004 | high | 8.2 | 8.2 | 4mo ago | The Ultimate Project Manager CRM PRO version 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attac… | |||
| CVE-2020-36183 | high | 8.1 | 8.1 | 6y ago | Unsafe Deserialization in jackson-databind | |||
| CVE-2020-35728 | high | 8.1 | 8.1 | 6y ago | Serialization gadget exploit in jackson-databind | |||
| CVE-2020-7562 | high | 8.1 | 8.1 | 6y ago | A CWE-125: Out-of-Bounds Read vulnerability exists in the Web Server on Modicon M340, Modicon Quantum and Modicon Premium Legacy offers and their Communication Modules (see notification for details) … | |||
| CVE-2020-14060 | high | 8.1 | 8.1 | 6y ago | Deserialization of untrusted data in Jackson Databind | |||
| CVE-2020-14062 | high | 8.1 | 8.1 | 6y ago | Deserialization of untrusted data in Jackson Databind | |||
| CVE-2020-11619 | high | 8.1 | 8.1 | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-15888 | high | — | 8.0 | — | Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffer overflow, heap-based buffer over-read, or use-after-free. | |||
| CVE-2020-35701 | high | — | 8.0 | — | An issue was discovered in Cacti 1.2.x through 1.2.16. A SQL injection vulnerability in data_debug.php allows remote authenticated attackers to execute arbitrary SQL commands via the site_id paramete… | |||
| CVE-2020-6454 | high | — | 8.0 | — | Use after free in extensions in Google Chrome prior to 81.0.4044.92 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chro… | |||
| CVE-2020-6459 | high | — | 8.0 | — | Use after free in payments in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-26164 | high | — | 8.0 | — | In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a De… | |||
| CVE-2020-6470 | high | — | 8.0 | — | Insufficient validation of untrusted input in clipboard in Google Chrome prior to 83.0.4103.61 allowed a local attacker to inject arbitrary scripts or HTML (UXSS) via crafted clipboard contents. | |||
| CVE-2020-16026 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6469 | high | — | 8.0 | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox es… | |||
| CVE-2020-9383 | high | — | 8.0 | — | An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before a… | |||
| CVE-2020-15953 | high | — | 8.0 | — | LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other products, has a STARTTLS buffering issue that affects IMAP, SMTP, and POP3. When a server sends a "begin TLS" response, the clien… | |||
| CVE-2020-28014 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. | |||
| CVE-2020-28020 | high | — | 8.0 | — | Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header… | |||
| CVE-2020-6574 | high | — | 8.0 | — | Insufficient policy enforcement in installer in Google Chrome on OS X prior to 85.0.4183.102 allowed a local attacker to potentially achieve privilege escalation via a crafted binary. | |||
| CVE-2020-15966 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive informa… | |||
| CVE-2020-16025 | high | — | 8.0 | — | Heap buffer overflow in clipboard in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML … | |||
| CVE-2020-14302 | high | — | 8.0 | — | multiple issues in keycloak | |||
| CVE-2020-28016 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase. | |||
| CVE-2020-15889 | high | — | 8.0 | — | Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members. | |||
| CVE-2020-15961 | high | — | 8.0 | — | Insufficient policy validation in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape … | |||
| CVE-2020-6458 | high | — | 8.0 | — | Out of bounds read and write in PDFium in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. | |||
| CVE-2020-28009 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation … | |||
| CVE-2020-16043 | high | — | 8.0 | — | Insufficient data validation in networking in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to bypass discretionary access control via malicious network traffic. | |||
| CVE-2020-6477 | high | — | 8.0 | — | Inappropriate implementation in installer in Google Chrome on OS X prior to 83.0.4103.61 allowed a local attacker to perform privilege escalation via a crafted file. | |||
| CVE-2020-16027 | high | — | 8.0 | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 87.0.4280.66 allowed an attacker who convinced a user to install a malicious extension to obtain potentially sensitive inf… | |||
| CVE-2020-28017 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of res… | |||
| CVE-2020-6490 | high | — | 8.0 | — | Insufficient data validation in loader in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had been able to write to disk to leak cross-origin data via a crafted HTML page. | |||
| CVE-2020-16023 | high | — | 8.0 | — | Use after free in WebCodecs in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-16021 | high | — | 8.0 | — | Race in image burner in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to perform OS-level privilege escalation via a malicious file. | |||
| CVE-2020-6434 | high | — | 8.0 | — | Use after free in devtools in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-35176 | high | — | 8.0 | — | In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial absolute pathname (omitting the initial /etc), even though it was intended to only read a file in the /etc/awstats/awstats.conf fo… | |||
| CVE-2020-6475 | high | — | 8.0 | — | Incorrect implementation in full screen in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2020-6431 | high | — | 8.0 | — | Insufficient policy enforcement in full screen in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2020-14387 | high | — | 8.0 | — | A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing… | |||
| CVE-2020-16035 | high | — | 8.0 | — | Insufficient data validation in cros-disks in Google Chrome on ChromeOS prior to 87.0.4280.66 allowed a remote attacker who had compromised the browser process to bypass noexec restrictions via a mal… | |||
| CVE-2020-16022 | high | — | 8.0 | — | Insufficient policy enforcement in networking in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially bypass firewall controls via a crafted HTML page. | |||
| CVE-2020-6479 | high | — | 8.0 | — | Inappropriate implementation in sharing in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2020-16028 | high | — | 8.0 | — | Heap buffer overflow in WebRTC in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6579 | high | — | 8.0 | — | multiple issues in chromium | |||
| CVE-2020-6432 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-28013 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the i… | |||
| CVE-2020-28007 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting crit… | |||
| CVE-2020-28008 | high | — | 8.0 | — | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input s… | |||
| CVE-2020-16032 | high | — | 8.0 | — | Insufficient data validation in sharing in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2020-6449 | high | — | 8.0 | — | Use after free in audio in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6451 | high | — | 8.0 | — | Use after free in WebAudio in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6452 | high | — | 8.0 | — | Heap buffer overflow in media in Google Chrome prior to 80.0.3987.162 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-16038 | high | — | 8.0 | — | Use after free in media in Google Chrome on OS X prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-15166 | high | — | 8.0 | — | In ZeroMQ before version 4.3.3, there is a denial-of-service vulnerability. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and con… | |||
| CVE-2020-6485 | high | — | 8.0 | — | Insufficient data validation in media router in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted … | |||
| CVE-2020-6460 | high | — | 8.0 | — | Insufficient data validation in URL formatting in Google Chrome prior to 81.0.4044.122 allowed a remote attacker to perform domain spoofing via a crafted domain name. | |||
| CVE-2020-6461 | high | — | 8.0 | — | Use after free in storage in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-6462 | high | — | 8.0 | — | Use after free in task scheduling in Google Chrome prior to 81.0.4044.129 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML… | |||
| CVE-2020-6466 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 83.0.4103.61 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-6486 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-6481 | high | — | 8.0 | — | Insufficient policy enforcement in URL formatting in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to perform domain spoofing via a crafted domain name. | |||
| CVE-2020-6473 | high | — | 8.0 | — | Insufficient policy enforcement in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2020-16018 | high | — | 8.0 | — | Use after free in payments in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-6478 | high | — | 8.0 | — | Inappropriate implementation in full screen in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2020-15963 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 85.0.4183.121 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape… | |||
| CVE-2020-6474 | high | — | 8.0 | — | Use after free in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6482 | high | — | 8.0 | — | Insufficient policy enforcement in developer tools in Google Chrome prior to 83.0.4103.61 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions v… | |||
| CVE-2020-6483 | high | — | 8.0 | — | Insufficient policy enforcement in payments in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-6493 | high | — | 8.0 | — | Use after free in WebAuthentication in Google Chrome prior to 83.0.4103.97 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTM… | |||
| CVE-2020-6494 | high | — | 8.0 | — | Incorrect security UI in payments in Google Chrome on Android prior to 83.0.4103.97 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2020-6487 | high | — | 8.0 | — | Insufficient policy enforcement in downloads in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2020-6491 | high | — | 8.0 | — | Insufficient data validation in site information in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to spoof security UI via a crafted domain name. | |||
| CVE-2020-6420 | high | — | 8.0 | — | Insufficient policy enforcement in media in Google Chrome prior to 80.0.3987.132 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||
| CVE-2020-16024 | high | — | 8.0 | — | Heap buffer overflow in UI in Google Chrome prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2020-6424 | high | — | 8.0 | — | Use after free in media in Google Chrome prior to 80.0.3987.149 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2020-6435 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 81.0.4044.92 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted… | |||
| CVE-2020-6509 | high | — | 8.0 | — | Use after free in extensions in Google Chrome prior to 83.0.4103.116 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Ch… |