CVEs from 2020
Total
3,971
critical
critical 184
high
high 576
medium
medium 738
low
low 59
% Critical
4.6%
% with KEV
3.7%
% with exploit
5.1%
Top vendors
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-15094 | unknown | — | — | 6y ago | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X… | |||
| CVE-2020-12480 | unknown | — | — | 6y ago | CSRF in Play Framework | |||
| CVE-2020-5413 | unknown | — | — | 6y ago | Code execution in Spring Integration | |||
| CVE-2020-13921 | unknown | — | — | 6y ago | SQL Injection in Apache SkyWalking | |||
| CVE-2020-11994 | unknown | — | — | 6y ago | Server side template injection in Apache Camel | |||
| CVE-2020-1937 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13926 | unknown | — | — | 6y ago | SQL Injection in Kylin | |||
| CVE-2020-13925 | unknown | — | — | 6y ago | Command Injection in Kylin | |||
| CVE-2020-15231 | unknown | — | — | 6y ago | XSS in Mapfish Print relating to JSONP support | |||
| CVE-2020-15232 | unknown | — | — | 6y ago | XXE attack in Mapfish Print | |||
| CVE-2020-15087 | unknown | — | — | 6y ago | Privilege escalation in Presto | |||
| CVE-2020-14061 | unknown | — | — | 6y ago | Deserialization of untrusted data in Jackson Databind | |||
| CVE-2020-14195 | unknown | — | — | 6y ago | Deserialization of untrusted data in Jackson Databind | |||
| CVE-2020-11612 | unknown | — | — | 6y ago | Denial of Service in Netty | |||
| CVE-2020-5408 | unknown | — | — | 6y ago | Insufficient Entropy in Spring Security | |||
| CVE-2020-7226 | unknown | — | — | 6y ago | Denial of Service in Cryptacular | |||
| CVE-2020-10683 | unknown | — | — | 6y ago | dom4j allows External Entities by default which might enable XXE attacks | |||
| CVE-2020-5407 | unknown | — | — | 6y ago | Signature wrapping vulnerability in Spring Security | |||
| CVE-2020-5405 | unknown | — | — | 6y ago | Directory traversal attack in Spring Cloud Config | |||
| CVE-2020-1963 | unknown | — | — | 6y ago | File system access via H2 in Apache Ignite | |||
| CVE-2020-11973 | unknown | — | — | 6y ago | Apache Camel Netty enables Java deserialization by default | |||
| CVE-2020-1941 | unknown | — | — | 6y ago | Apache ActiveMQ webconsole admin GUI is open to XSS | |||
| CVE-2020-5529 | unknown | — | — | 6y ago | Code execution vulnerability in HtmlUnit | |||
| CVE-2020-1953 | unknown | — | — | 6y ago | Remote code execution in Apache Commons Configuration | |||
| CVE-2020-10968 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11111 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-7647 | unknown | — | — | 6y ago | path traversal in Jooby | |||
| CVE-2020-11050 | unknown | — | — | 6y ago | Improper Validation of Certificate with Host Mismatch in Java-WebSocket | |||
| CVE-2020-1929 | unknown | — | — | 6y ago | Improper Certificate Validation in Apache Beam | |||
| CVE-2020-11009 | unknown | — | — | 6y ago | IDOR can reveal execution data and logs to unauthorized user in Rundeck | |||
| CVE-2020-10969 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11620 | unknown | — | — | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |||
| CVE-2020-11007 | unknown | — | — | 6y ago | Negative charge in shopping cart in Shopizer | |||
| CVE-2020-1728 | unknown | — | — | 6y ago | Improper Restriction of Rendered UI Layers or Frames in Keycloak | |||
| CVE-2020-1731 | unknown | — | — | 6y ago | Predictable password in Keycloak | |||
| CVE-2020-1697 | unknown | — | — | 6y ago | XSS in Keycloak | |||
| CVE-2020-10203 | unknown | — | — | 6y ago | Persistent Cross-Site scripting in Nexus Repository Manager | |||
| CVE-2020-10204 | unknown | — | — | 6y ago | Remote Code Execution - JavaEL Injection (low privileged accounts) in Nexus Repository Manager | |||
| CVE-2020-11002 | unknown | — | — | 6y ago | Remote Code Execution (RCE) vulnerability in dropwizard-validation | |||
| CVE-2020-7622 | unknown | — | — | 6y ago | Improper Neutralization of CRLF Sequences in HTTP Headers in Jooby ('HTTP Response Splitting) | |||
| CVE-2020-5497 | unknown | — | — | 6y ago | XSS in MITREid Connect | |||
| CVE-2020-7611 | unknown | — | — | 6y ago | Micronaut's HTTP client is vulnerable to HTTP Request Header Injection | |||
| CVE-2020-5289 | unknown | — | — | 6y ago | Read permissions not enforced for client provided filter expressions in Elide. | |||
| CVE-2020-5275 | unknown | — | — | 6y ago | In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides … | |||
| CVE-2020-5274 | unknown | — | — | 6y ago | In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even … | |||
| CVE-2020-5255 | unknown | — | — | 6y ago | In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the r… | |||
| CVE-2020-5280 | unknown | — | — | 6y ago | Local file inclusion vulnerability in http4s | |||
| CVE-2020-6858 | unknown | — | — | 6y ago | HTTP Response Splitting in Styx | |||
| CVE-2020-5245 | unknown | — | — | 6y ago | Remote Code Execution (RCE) vulnerability in dropwizard-validation | |||
| CVE-2020-7238 | unknown | — | — | 6y ago | HTTP Request Smuggling in Netty | |||
| CVE-2020-1925 | unknown | — | — | 6y ago | Server-Side Request Forgery (SSRF) in Apache Olingo | |||
| CVE-2020-5228 | unknown | — | — | 6y ago | Unauthenticated Access Via OAI-PMH | |||
| CVE-2020-5229 | unknown | — | — | 6y ago | Password Hashing: Do not use MD5 | |||
| CVE-2020-5230 | unknown | — | — | 6y ago | Unsafe Identifiers in Opencast | |||
| CVE-2020-5222 | unknown | — | — | 6y ago | Hard-Coded Key Used For Remember-me Token in Opencast | |||
| CVE-2020-5231 | unknown | — | — | 6y ago | Users with ROLE_COURSE_ADMIN can create new users in Opencast | |||
| CVE-2020-5206 | unknown | — | — | 6y ago | Authentication Bypass For Endpoints With Anonymous Access in Opencast | |||
| CVE-2020-5207 | unknown | — | — | 6y ago | Request smuggling is possible when both chunked TE and content length specified | |||
| CVE-2020-5397 | unknown | — | — | 6y ago | CSRF attack via CORS preflight requests with Spring MVC or Spring WebFlux | |||
| CVE-2020-5398 | unknown | — | — | 6y ago | RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application |