CVEs from 2020
Total
3,992
critical
critical 169
high
high 590
medium
medium 739
low
low 59
% Critical
4.2%
% with KEV
3.7%
% with exploit
4.0%
Top vendors
Top products
- retail_xstore_point_of_service 33
- banking_digital_experience 30
- primavera_unifier 29
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 13
- insurance_policy_administration_j2ee 11
- communications_network_charging_and_control 10
- enterprise_manager_base_platform 10
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-8655 | unknown | — | 2.5 | 5y ago | EyesOfNetwork contains an improper privilege management vulnerability that may allow a user to run commands as root via a crafted Nmap Scripting Engine (NSE) script to nmap7. | |||
| CVE-2020-6287 | unknown | — | 2.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains a missing authentication for critical function vulnerability allowing unauthenticated access to execute configuration tasks and create adminis… | |||
| CVE-2020-5902 | unknown | — | 2.5 | 5y ago | F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages. | |||
| CVE-2020-6207 | unknown | — | 2.5 | 5y ago | SAP Solution Manager User Experience Monitoring contains a missing authentication for critical function vulnerability which results in complete compromise of all SMDAgents connected to the Solution M… | |||
| CVE-2020-3950 | unknown | — | 2.5 | 5y ago | VMware Fusion, Remote Console (VMRC) for Mac, and Horizon Client for Mac contain a privilege escalation vulnerability due to improper use of setuid binaries that allows attackers to escalate privileg… | |||
| CVE-2020-0646 | unknown | — | 2.5 | 5y ago | Microsoft .NET Framework contains an improper input validation vulnerability that allows for remote code execution. | |||
| CVE-2020-17496 | unknown | — | 2.5 | 5y ago | The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. Thi… | |||
| CVE-2020-1054 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains a privilege escalation vulnerability when the Windows kernel-mode driver fails to properly handle objects in memory. Successful exploitation allows an attacker to execute co… | |||
| CVE-2020-15505 | unknown | — | 2.5 | 5y ago | Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-5847 | unknown | — | 2.5 | 5y ago | Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access. | |||
| CVE-2020-8260 | unknown | — | 2.5 | 5y ago | Pulse Connect Secure contains an unspecified vulnerability that allows an authenticated attacker to perform code execution using uncontrolled gzip extraction. | |||
| CVE-2020-8657 | unknown | — | 2.5 | 5y ago | EyesOfNetwork contains a use of hard-coded credentials vulnerability, as it uses the same API key by default. Exploitation allows an attacker to calculate or guess the admin access token. | |||
| CVE-2020-5849 | unknown | — | 2.5 | 5y ago | Unraid contains an authentication bypass vulnerability that allows attackers to gain access to the administrative interface. This CVE is chainable with CVE-2020-5847 for remote code execution. | |||
| CVE-2020-0688 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server Validation Key fails to properly create unique keys at install time, allowing for remote code execution. | |||
| CVE-2020-2555 | unknown | — | 2.5 | 5y ago | Multiple Oracle products contain a remote code execution vulnerability that allows an unauthenticated attacker with network access via T3 or HTTP to takeover the affected system. Impacted Oracle prod… | |||
| CVE-2020-8644 | unknown | — | 2.5 | 5y ago | PlaySMS contains a server-side template injection vulnerability that allows for remote code execution. | |||
| CVE-2020-11738 | unknown | — | 2.5 | 5y ago | WordPress Snap Creek Duplicator plugin contains a file download vulnerability when an administrator creates a new copy of their site that allows an attacker to download the generated files from their… | |||
| CVE-2020-14883 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability in the Console component with high impacts to confidentilaity, integrity, and availability. | |||
| CVE-2020-14750 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability allowing an unauthenticated attacker to perform remote code execution. This vulnerability is related to CVE-2020-14882. | |||
| CVE-2020-10189 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine Desktop Central contains a file upload vulnerability that allows for unauthenticated remote code execution. | |||
| CVE-2020-14882 | unknown | — | 2.5 | 5y ago | Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related to CVE-2020-14750. | |||
| CVE-2020-3952 | unknown | — | 2.5 | 5y ago | VMware vCenter Server contains an information disclosure vulnerability in the VMware Directory Service (vmdir) when the Platform Services Controller (PSC) does not correctly implement access controls… | |||
| CVE-2020-14871 | unknown | — | 2.5 | 5y ago | Oracle Solaris and Oracle ZFS Storage Appliance Kit contain an unspecified vulnerability causing high impacts to confidentiality, integrity, and availability of affected systems. | |||
| CVE-2020-4427 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially craf… | |||
| CVE-2020-4428 | unknown | — | 2.5 | 5y ago | IBM Data Risk Manager contains an unspecified vulnerability which could allow a remote, authenticated attacker to execute commands on the system.� | |||
| CVE-2020-25213 | unknown | — | 2.5 | 5y ago | WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site. | |||
| CVE-2020-16117 | low | — | 2.5 | 5y ago | RHSA-2021:1752: evolution security, bug fix, and enhancement update (Low) | |||
| CVE-2020-36317 | low | — | 2.5 | 5y ago | RHSA-2021:1935: rust-toolset:rhel8 security, bug fix, and enhancement update (Low) | |||
| CVE-2020-36318 | low | — | 2.5 | 5y ago | RHSA-2021:1935: rust-toolset:rhel8 security, bug fix, and enhancement update (Low) | |||
| CVE-2020-13927 | unknown | — | 2.5 | 5y ago | The previous default setting for Airflow's Experimental API was to allow all API requests without authentication. | |||
| CVE-2020-29651 | low | — | 2.5 | 5y ago | A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying … | |||
| CVE-2020-17519 | unknown | — | 2.5 | 6y ago | Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. | |||
| CVE-2020-11736 | low | — | 2.5 | 6y ago | RHSA-2021:4179: file-roller security update (Low) | |||
| CVE-2020-3898 | low | — | 2.5 | 6y ago | RHSA-2020:4469: cups security and bug fix update (Low) | |||
| CVE-2020-14928 | low | — | 2.5 | 6y ago | RHSA-2020:4649: evolution security and bug fix update (Low) | |||
| CVE-2020-12802 | low | — | 2.5 | 6y ago | RHSA-2020:4628: libreoffice security, bug fix, and enhancement update (Low) | |||
| CVE-2020-12803 | low | — | 2.5 | 6y ago | RHSA-2020:4628: libreoffice security, bug fix, and enhancement update (Low) | |||
| CVE-2020-10759 | low | — | 2.5 | 6y ago | RHSA-2020:4436: gnome-software and fwupd security, bug fix, and enhancement update (Low) | |||
| CVE-2020-11978 | unknown | — | 2.5 | 6y ago | A remote code/command injection vulnerability was discovered in one of the example DAGs shipped with Airflow. | |||
| CVE-2020-5410 | unknown | — | 2.5 | 6y ago | Spring, by VMware Tanzu, Cloud Config contains a path traversal vulnerability that allows applications to serve arbitrary configuration files. | |||
| CVE-2020-11078 | low | — | 2.5 | 6y ago | RHSA-2020:4605: resource-agents security and bug fix update (Low) | |||
| CVE-2020-7656 | low | — | 2.5 | 6y ago | RHSA-2021:4142: pcs security, bug fix, and enhancement update (Low) | |||
| CVE-2020-11054 | low | — | 2.5 | 6y ago | In qutebrowser versions less than 1.11.1, reloading a page with certificate errors shows a green URL. After a certificate error was overridden by the user, qutebrowser displays the URL as yellow (col… | |||
| CVE-2020-10199 | unknown | — | 2.5 | 6y ago | Sonatype Nexus Repository contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-15719 | low | — | 2.5 | 7y ago | RHBA-2019:3674: openldap bug fix and enhancement update (Low) | |||
| CVE-2020-9715 | unknown | — | 1.5 | 2mo ago | Adobe Acrobat contains a use-after-free vulnerability that allows for code execution | |||
| CVE-2020-7796 | unknown | — | 1.5 | 3mo ago | Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled. | |||
| CVE-2020-24363 | unknown | — | 1.5 | 9mo ago | TP-link TL-WA855RE contains a missing authentication for critical function vulnerability. This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP_RESET POST … | |||
| CVE-2020-25078 | unknown | — | 1.5 | 10mo ago | D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end… | |||
| CVE-2020-25079 | unknown | — | 1.5 | 10mo ago | D-Link DCS-2530L and DCS-2670L devices contains a command injection vulnerability in the cgi-bin/ddns_enc.cgi. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users shou… | |||
| CVE-2020-15069 | unknown | — | 1.5 | 1y ago | Sophos XG Firewall contains a buffer overflow vulnerability that allows for remote code execution via the "HTTP/S bookmark" feature. | |||
| CVE-2020-29574 | unknown | — | 1.5 | 1y ago | CyberoamOS (CROS) contains a SQL injection vulnerability in the WebAdmin that allows an unauthenticated attacker to execute arbitrary SQL statements remotely. | |||
| CVE-2020-15415 | unknown | — | 1.5 | 2y ago | DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacte… | |||
| CVE-2020-14644 | unknown | — | 1.5 | 2y ago | Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerabi… | |||
| CVE-2020-13965 | unknown | — | 1.5 | 2y ago | Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. | |||
| CVE-2020-3259 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which cou… | |||
| CVE-2020-2551 | unknown | — | 1.5 | 3y ago | Oracle Fusion Middleware contains an unspecified vulnerability in the WLS Core Components that allows an unauthenticated attacker with network access via IIOP to compromise the WebLogic Server. | |||
| CVE-2020-12641 | unknown | — | 1.5 | 3y ago | Roundcube Webmail contains an remote code execution vulnerability that allows attackers to execute code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | |||
| CVE-2020-0601 | unknown | — | 1.5 | 4y ago | Microsoft Windows CryptoAPI (Crypt32.dll) contains a spoofing vulnerability in the way it validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by usin… | |||
| CVE-2020-3837 | unknown | — | 1.5 | 4y ago | Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-9907 | unknown | — | 1.5 | 4y ago | Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges. | |||
| CVE-2020-1027 | unknown | — | 1.5 | 4y ago | An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated … | |||
| CVE-2020-0638 | unknown | — | 1.5 | 4y ago | Microsoft Update Notification Manager contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2020-2509 | unknown | — | 1.5 | 4y ago | QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. | |||
| CVE-2020-1631 | unknown | — | 1.5 | 4y ago | A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZT… | |||
| CVE-2020-9377 | unknown | — | 1.5 | 4y ago | D-Link DIR-610 devices allow remote code execution via the cmd parameter to command.php. | |||
| CVE-2020-9054 | unknown | — | 1.5 | 4y ago | Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code. | |||
| CVE-2020-2021 | unknown | — | 1.5 | 4y ago | Palo Alto Networks PAN-OS contains a vulnerability in SAML which allows an attacker to bypass authentication. | |||
| CVE-2020-2506 | unknown | — | 1.5 | 4y ago | QNAP Helpdesk contains an improper access control vulnerability which could allow an attacker to gain privileges or to read sensitive information. | |||
| CVE-2020-5135 | unknown | — | 1.5 | 4y ago | A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. | |||
| CVE-2020-8218 | unknown | — | 1.5 | 4y ago | A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface. | |||
| CVE-2020-11899 | unknown | — | 1.5 | 4y ago | The Treck TCP/IP stack contains an IPv6 out-of-bounds read vulnerability. | |||
| CVE-2020-14864 | unknown | — | 1.5 | 4y ago | Path traversal vulnerability, where an attacker can target the preview FilePath parameter of the getPreviewImage function to get access to arbitrary system file. | |||
| CVE-2020-6572 | unknown | — | 1.5 | 4y ago | Google Chrome Media contains a use-after-free vulnerability that allows a remote attacker to execute code via a crafted HTML page. | |||
| CVE-2020-17463 | unknown | — | 1.5 | 5y ago | FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items. | |||
| CVE-2020-11261 | unknown | — | 1.5 | 5y ago | Memory corruption due to improper check to return error when user application requests memory allocation of a huge size in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Con… | |||
| CVE-2020-9819 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, and watchOS Mail contains a memory corruption vulnerability that may allow heap corruption when processing a maliciously crafted mail message. | |||
| CVE-2020-27932 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, and watchOS contain a type confusion vulnerability that may allow a malicious application to execute code with kernel privileges. | |||
| CVE-2020-9859 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, watchOS, and tvOS contain an unspecified vulnerability that may allow an application to execute code with kernel privileges. | |||
| CVE-2020-3452 | unknown | — | 1.5 | 5y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerab… | |||
| CVE-2020-3580 | unknown | — | 1.5 | 5y ago | Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an insufficient input validation vulnerability for user-supplied input by the web services interface. Successful ex… | |||
| CVE-2020-1464 | unknown | — | 1.5 | 5y ago | Microsoft Windows contains a spoofing vulnerability when Windows incorrectly validates file signatures, allowing an attacker to bypass security features and load improperly signed files. | |||
| CVE-2020-3566 | unknown | — | 1.5 | 5y ago | Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to … | |||
| CVE-2020-8599 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One and OfficeScan server contain a vulnerable EXE file that could allow a remote attacker to write data to a path on affected installations and bypass root login. | |||
| CVE-2020-1040 | unknown | — | 1.5 | 5y ago | Microsoft Hyper-V RemoteFX vGPU contains an improper input validation vulnerability due to the host server failing to properly validate input from an authenticated user on a guest operating system. S… | |||
| CVE-2020-3118 | unknown | — | 1.5 | 5y ago | Cisco IOS XR improperly validates string input from certain fields in Cisco Discovery Protocol messages. Exploitation could allow an unauthenticated, adjacent attacker to execute code with administra… | |||
| CVE-2020-1380 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability which can allow for remote code execution in the context of the current user. | |||
| CVE-2020-0968 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains a memory corruption vulnerability due to how the Scripting Engine handles objects in memory, leading to remote code execution. | |||
| CVE-2020-0683 | unknown | — | 1.5 | 5y ago | Microsoft Windows Installer contains a privilege escalation vulnerability when MSI packages process symbolic links, which allows attackers to bypass access restrictions to add or remove files. | |||
| CVE-2020-3569 | unknown | — | 1.5 | 5y ago | Cisco IOS XR Distance Vector Multicast Routing Protocol (DVMRP) incorrectly handles Internet Group Management Protocol (IGMP) packets. Exploitation could allow an unauthenticated, remote attacker to … | |||
| CVE-2020-9818 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, and watchOS Mail contains an out-of-bounds write vulnerability which may allow memory modification or application termination when processing a maliciously crafted mail message. | |||
| CVE-2020-17144 | unknown | — | 1.5 | 5y ago | Microsoft Exchange Server improperly validates cmdlet arguments which allow an attacker to perform remote code execution. | |||
| CVE-2020-8515 | unknown | — | 1.5 | 5y ago | DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2020-3161 | unknown | — | 1.5 | 5y ago | Cisco IP Phones contain an improper input validation vulnerability for HTTP requests. Exploitation could allow an attacker to execute code remotely with root privileges or cause a denial-of-service (… | |||
| CVE-2020-0986 | unknown | — | 1.5 | 5y ago | Microsoft Windows kernel contains an unspecified vulnerability when handling objects in memory that allows attackers to escalate privileges and execute code in kernel mode. | |||
| CVE-2020-24557 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One, OfficeScan, and Worry-Free Business Security on Microsoft Windows contain an improper access control vulnerability that may allow an attacker to manipulate a particular product … | |||
| CVE-2020-3992 | unknown | — | 1.5 | 5y ago | VMware ESXi OpenSLP contains a use-after-free vulnerability that allows an attacker residing in the management network with access to port 427 to perform remote code execution. | |||
| CVE-2020-10148 | unknown | — | 1.5 | 5y ago | SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands. | |||
| CVE-2020-0938 | unknown | — | 1.5 | 5y ago | Microsoft Windows Adobe Font Manager Library contains an unspecified vulnerability when handling specially crafted multi-master fonts (Adobe Type 1 PostScript format) that allows for remote code exec… | |||
| CVE-2020-8243 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure contains an unspecified vulnerability in the admin web interface that could allow an authenticated attacker to upload a custom template to perform code execution. |