CVEs from 2020
Total
3,976
critical
critical 169
high
high 590
medium
medium 739
low
low 59
% Critical
4.3%
% with KEV
3.7%
% with exploit
4.0%
Top vendors
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-14310 | medium | — | 5.5 | 6y ago | RHSA-2020:3216: grub2 security update (Moderate) | |||
| CVE-2020-10713 | medium | — | 5.5 | 6y ago | RHSA-2020:3219: kernel-rt security and bug fix update (Moderate) | |||
| CVE-2020-1983 | medium | — | 5.5 | 6y ago | RHSA-2020:4676: virt:rhel and virt-devel:rhel security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-10754 | medium | — | 5.5 | 6y ago | RHSA-2020:3011: NetworkManager security and bug fix update (Moderate) | |||
| CVE-2020-15095 | medium | — | 5.5 | 6y ago | RHSA-2021:0548: nodejs:10 security update (Moderate) | |||
| CVE-2020-15368 | medium | 5.5 | 5.5 | 6y ago | AsrDrv103.sys in the ASRock RGB Driver does not properly restrict access from user space, as demonstrated by triggering a triple fault via a request to zero CR3. | |||
| CVE-2020-13112 | medium | — | 5.5 | 6y ago | RHSA-2020:2550: libexif security update (Moderate) | |||
| CVE-2020-13596 | medium | — | 5.5 | 6y ago | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. Query parameters generated by the Django admin ForeignKeyRawIdWidget were not properly URL encoded, leading to a possibility … | |||
| CVE-2020-13254 | medium | — | 5.5 | 6y ago | An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collis… | |||
| CVE-2020-9547 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-10673 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-9548 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-11501 | medium | — | 5.5 | 6y ago | RHSA-2020:1998: gnutls security update (Moderate) | |||
| CVE-2020-11022 | medium | — | 5.5 | 6y ago | RHSA-2020:4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-1702 | medium | — | 5.5 | 6y ago | RHSA-2020:1650: container-tools:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-5395 | medium | — | 5.5 | 6y ago | RHSA-2020:4844: fontforge security update (Moderate) | |||
| CVE-2020-10672 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-10663 | medium | — | 5.5 | 6y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-8840 | medium | — | 5.5 | 6y ago | RHSA-2020:1644: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-1935 | medium | — | 5.5 | 6y ago | RHSA-2020:4847: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2020-7595 | medium | — | 5.5 | 6y ago | RHSA-2020:4479: libxml2 security update (Moderate) | |||
| CVE-2020-7471 | medium | — | 5.5 | 6y ago | Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data … | |||
| CVE-2020-37241 | medium | 5.3 | 5.3 | 14d ago | bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can… | |||
| CVE-2020-8927 | medium | 5.3 | 5.3 | 5y ago | RHSA-2022:0830: .NET 5.0 security and bugfix update (Important) | |||
| CVE-2020-7549 | medium | 5.3 | 5.3 | 6y ago | A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication … | |||
| CVE-2020-29372 | medium | 4.7 | 4.7 | 6y ago | An issue was discovered in do_madvise in mm/madvise.c in the Linux kernel before 5.6.8. There is a race condition between coredump operations and the IORING_OP_MADVISE implementation, aka CID-bc0c4d1… | |||
| CVE-2020-37217 | medium | 4.3 | 4.3 | 17d ago | Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attack… | |||
| CVE-2020-7568 | medium | 4.3 | 4.3 | 6y ago | A CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Modicon M221 (all references, all versions) that could allow non sensitive information disclosure when th… | |||
| CVE-2020-8166 | medium | 4.3 | 4.3 | 6y ago | Ability to forge per-form CSRF tokens in Rails | |||
| CVE-2020-2883 | unknown | — | 2.5 | 1y ago | Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3. | |||
| CVE-2020-0618 | unknown | — | 2.5 | 2y ago | Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in t… | |||
| CVE-2020-5741 | unknown | — | 2.5 | 3y ago | Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload featur… | |||
| CVE-2020-3433 | unknown | — | 2.5 | 4y ago | Cisco AnyConnect Secure Mobility Client for Windows interprocess communication (IPC) channel allows for insufficient validation of resources that are loaded by the application at run time. An attacke… | |||
| CVE-2020-3153 | unknown | — | 2.5 | 4y ago | Cisco AnyConnect Secure Mobility Client for Windows allows for incorrect handling of directory paths. An attacker with valid credentials on Windows would be able to copy malicious files to arbitrary … | |||
| CVE-2020-9934 | unknown | — | 2.5 | 4y ago | Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information. | |||
| CVE-2020-16846 | unknown | — | 2.5 | 4y ago | SaltStack Salt allows an unauthenticated user with network access to the Salt API to use shell injections to run code on the Salt API using the SSH client. This vulnerability affects any users runnin… | |||
| CVE-2020-11651 | unknown | — | 2.5 | 4y ago | SaltStack Salt contains an authentication bypass vulnerability in the salt-master process ClearFuncs due to improperly validating method calls. The vulnerability allows a remote user to access some m… | |||
| CVE-2020-11652 | unknown | — | 2.5 | 4y ago | SaltStack Salt contains a path traversal vulnerability in the salt-master process ClearFuncs which allows directory access to authenticated users. Salt users who follow fundamental internet security … | |||
| CVE-2020-7961 | unknown | — | 2.5 | 4y ago | Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services. | |||
| CVE-2020-25223 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM. | |||
| CVE-2020-0796 | unknown | — | 2.5 | 4y ago | A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerabili… | |||
| CVE-2020-17530 | unknown | — | 2.5 | 4y ago | Forced Object-Graph Navigation Language (OGNL) evaluation in Apache Struts, when evaluated on raw user input in tag attributes, can lead to remote code execution. | |||
| CVE-2020-0787 | unknown | — | 2.5 | 4y ago | Microsoft Windows BITS is vulnerable to to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-l… | |||
| CVE-2020-5722 | unknown | — | 2.5 | 4y ago | Grandstream UCM6200 series is vulnerable to an unauthenticated remote SQL injection via crafted HTTP request. Exploitation can allow for code execution as root. | |||
| CVE-2020-8816 | unknown | — | 2.5 | 5y ago | Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease. | |||
| CVE-2020-3950 | unknown | — | 2.5 | 5y ago | VMware Fusion, Remote Console (VMRC) for Mac, and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries that allows attackers to escalate privileg… | |||
| CVE-2020-17496 | unknown | — | 2.5 | 5y ago | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. Thi… | |||
| CVE-2020-5847 | unknown | — | 2.5 | 5y ago | Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access. | |||
| CVE-2020-14883 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability. | |||
| CVE-2020-14750 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882. | |||
| CVE-2020-5902 | unknown | — | 2.5 | 5y ago | F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages. | |||
| CVE-2020-8655 | unknown | — | 2.5 | 5y ago | EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7. | |||
| CVE-2020-8657 | unknown | — | 2.5 | 5y ago | EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token. | |||
| CVE-2020-15505 | unknown | — | 2.5 | 5y ago | Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-3952 | unknown | — | 2.5 | 5y ago | VMware vCenter Server contains an information disclosure vulnerability in the VMware Directory Service (vmdir) when the Platform Services Controller (PSC) does not correctly implement access controls… | |||
| CVE-2020-25213 | unknown | — | 2.5 | 5y ago | WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site. | |||
| CVE-2020-11738 | unknown | — | 2.5 | 5y ago | WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their… | |||
| CVE-2020-1054 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Windows kernel-mode driver fails to properly handle objects in memory. Successful exploitation allows an attacker to execute co… | |||
| CVE-2020-0688 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server Validation Key fails to properly create unique keys at install time, allowing for remote code execution. | |||
| CVE-2020-4427 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially craf… | |||
| CVE-2020-4428 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.� | |||
| CVE-2020-0646 | unknown | — | 2.5 | 5y ago | Microsoft .NET Framework contains an improper input validation vulnerability that allows for remote code execution. | |||
| CVE-2020-2555 | unknown | — | 2.5 | 5y ago | Multiple Oracle products contain a remote code execution vulnerability that allows an unauthenticated attacker with network access via T3 or HTTP to takeover the affected system. Impacted Oracle prod… | |||
| CVE-2020-14882 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related to CVE-2020-14750. | |||
| CVE-2020-14871 | unknown | — | 2.5 | 5y ago | Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected systems. | |||
| CVE-2020-8644 | unknown | — | 2.5 | 5y ago | PlaySMS contains a server-side template injection vulnerability that allows for remote code execution. | |||
| CVE-2020-8260 | unknown | — | 2.5 | 5y ago | Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction. | |||
| CVE-2020-6287 | unknown | — | 2.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create adminis… | |||
| CVE-2020-6207 | unknown | — | 2.5 | 5y ago | SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution M… | |||
| CVE-2020-5849 | unknown | — | 2.5 | 5y ago | Unraid contains an authentication bypass vulnerability that allows attackers to gain access to the administrative interface. This CVE is chainable with CVE-2020-5847 for remote code execution. | |||
| CVE-2020-10189 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution. | |||
| CVE-2020-13927 | unknown | — | 2.5 | 5y ago | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication. | |||
| CVE-2020-17519 | unknown | — | 2.5 | 6y ago | Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. | |||
| CVE-2020-11978 | unknown | — | 2.5 | 6y ago | A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow. | |||
| CVE-2020-5410 | unknown | — | 2.5 | 6y ago | Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability that allows applications to serve arbitrary configuration files. | |||
| CVE-2020-10199 | unknown | — | 2.5 | 6y ago | Sonatype Nexus Repository contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-9715 | unknown | — | 1.5 | 2mo ago | Adobe Acrobat contains a use-after-free vulnerability that allows for code execution | |||
| CVE-2020-7796 | unknown | — | 1.5 | 3mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled. | |||
| CVE-2020-24363 | unknown | — | 1.5 | 9mo ago | TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST … | |||
| CVE-2020-25078 | unknown | — | 1.5 | 10mo ago | D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end… | |||
| CVE-2020-25079 | unknown | — | 1.5 | 10mo ago | D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users shou… | |||
| CVE-2020-29574 | unknown | — | 1.5 | 1y ago | CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely. | |||
| CVE-2020-15069 | unknown | — | 1.5 | 1y ago | Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature. | |||
| CVE-2020-15415 | unknown | — | 1.5 | 2y ago | DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacte… | |||
| CVE-2020-14644 | unknown | — | 1.5 | 2y ago | Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerabi… | |||
| CVE-2020-13965 | unknown | — | 1.5 | 2y ago | Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. | |||
| CVE-2020-3259 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which cou… | |||
| CVE-2020-2551 | unknown | — | 1.5 | 3y ago | Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server. | |||
| CVE-2020-12641 | unknown | — | 1.5 | 3y ago | Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | |||
| CVE-2020-0601 | unknown | — | 1.5 | 4y ago | Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by usin… | |||
| CVE-2020-3837 | unknown | — | 1.5 | 4y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-9907 | unknown | — | 1.5 | 4y ago | Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-0638 | unknown | — | 1.5 | 4y ago | Microsoft Update Notification Manager contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2020-1027 | unknown | — | 1.5 | 4y ago | An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated … | |||
| CVE-2020-2509 | unknown | — | 1.5 | 4y ago | QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. | |||
| CVE-2020-1631 | unknown | — | 1.5 | 4y ago | A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZT… | |||
| CVE-2020-2021 | unknown | — | 1.5 | 4y ago | Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication. | |||
| CVE-2020-2506 | unknown | — | 1.5 | 4y ago | QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information. | |||
| CVE-2020-9377 | unknown | — | 1.5 | 4y ago | D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php. | |||
| CVE-2020-9054 | unknown | — | 1.5 | 4y ago | Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code. |