VIR Vulnerability Intelligence Relay

CVEs from 2020

4,634 normalized CVEs published or assigned in this year.

Total
4,634
critical
critical 193
high
high 470
medium
medium 675
low
low 56
% Critical
4.2%
% with KEV
3.2%
% with exploit
3.2%

Top vendors

Top products

  • banking_digital_experience 30
  • retail_xstore_point_of_service 28
  • primavera_unifier 27
  • retail_service_backbone 15
  • financial_services_institutional_performance_analytics 10
  • communications_network_charging_and_control 10
  • communications_contacts_server 9
  • agile_plm 8

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2020-7247 critical 10.0 4y ago smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session. archdebian
CVE-2020-6820 critical 10.0 5y ago Mozilla Firefox and Thunderbird contain a race condition vulnerability when handling a ReadableStream under certain conditions. The race condition creates a use-after-free vulnerability, causing unsp… archsusedebian
CVE-2020-6819 critical 10.0 5y ago Mozilla Firefox and Thunderbird contain a race condition vulnerability when running the nsDocShell destructor under certain conditions. The race condition creates a use-after-free vulnerability, caus… archsusedebian
CVE-2020-16009 critical 10.0 6y ago multiple issues in chromium archdebiannuget
CVE-2020-37239 critical 9.8 9.8 12d ago libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_…
CVE-2020-37228 critical 9.8 9.8 12d ago iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retr…
CVE-2020-37168 critical 9.8 9.8 15d ago Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. A…
CVE-2020-37002 critical 9.8 9.8 4mo ago Ajenti 2.1.36 contains a post-authenticated remote command execution vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/t…
CVE-2020-28271 critical 9.8 9.8 6y ago Prototype Pollution in deephas npm
CVE-2020-9546 critical 9.8 9.8 6y ago jackson-databind mishandles the interaction between serialization gadgets and typing debianrockylinuxjavaoracle
CVE-2020-6795 critical 9.5 When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects … archdebian
CVE-2020-25125 critical 9.5 GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD pre… archdebian
CVE-2020-16004 critical 9.5 multiple issues in chromium archdebian
CVE-2020-12394 critical 9.5 A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulne… archdebian
CVE-2020-11521 critical 9.5 libfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write. archdebian
CVE-2020-11523 critical 9.5 libfreerdp/gdi/region.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Integer Overflow. archdebian
CVE-2020-15983 critical 9.5 multiple issues in chromium archdebian
CVE-2020-11524 critical 9.5 libfreerdp/codec/interleaved.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write. archdebian
CVE-2020-6535 critical 9.5 Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a … archdebian
CVE-2020-6510 critical 9.5 Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-28034 critical 9.5 WordPress before 5.5.2 allows XSS associated with global variables. archdebian
CVE-2020-6823 critical 9.5 A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the us… archsusedebian
CVE-2020-28037 critical 9.5 is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, lea… archdebian
CVE-2020-28035 critical 9.5 WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. archdebian
CVE-2020-15973 critical 9.5 multiple issues in chromium archdebian
CVE-2020-16005 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15969 critical 9.5 multiple issues in chromium archdebiansuse
CVE-2020-15968 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15990 critical 9.5 multiple issues in chromium archdebian
CVE-2020-12391 critical 9.5 Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opa… archdebian
CVE-2020-8794 critical 9.5 OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTP… archdebian
CVE-2020-15974 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15971 critical 9.5 multiple issues in chromium archdebian
CVE-2020-9760 critical 9.5 An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affected). When a new IRC message 005 is received with longer nick prefixes, a buffer overflow and possibly a crash can happen when a… archdebian
CVE-2020-15988 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6526 critical 9.5 Inappropriate implementation in iframe sandbox in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. archdebian
CVE-2020-6528 critical 9.5 Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. archdebian
CVE-2020-15972 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6518 critical 9.5 Use after free in developer tools in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had convinced the user to use developer tools to potentially exploit heap corruption via a craft… archdebian
CVE-2020-6512 critical 9.5 Type Confusion in V8 in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6515 critical 9.5 Use after free in tab strip in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6522 critical 9.5 Inappropriate implementation in external protocol handlers in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. archdebian
CVE-2020-12392 critical 9.5 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and past… archdebian
CVE-2020-28032 critical 9.5 WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. archdebian
CVE-2020-11986 critical 9.5 To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project.… archdebian
CVE-2020-6808 critical 9.5 When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by… archsusedebian
CVE-2020-15979 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6411 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15982 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6398 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6395 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6393 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6392 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15970 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6391 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6389 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6388 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6381 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15967 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6380 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6378 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6402 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15985 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6534 critical 9.5 Heap buffer overflow in WebRTC in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6536 critical 9.5 Incorrect security UI in PWAs in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had persuaded the user to install a PWA to spoof the contents of the Omnibox (URL bar) via a crafted… archdebian
CVE-2020-6413 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6516 critical 9.5 Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. archdebian
CVE-2020-6792 critical 9.5 When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5. archdebian
CVE-2020-6415 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6530 critical 9.5 Out of bounds memory access in developer tools in Google Chrome prior to 84.0.4147.89 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption … archdebian
CVE-2020-6409 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15991 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6412 critical 9.5 multiple issues in chromium archdebian
CVE-2020-8955 critical 9.5 irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified othe… archdebian
CVE-2020-6406 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15986 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6410 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15975 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6405 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6394 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15977 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6511 critical 9.5 Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. archdebian
CVE-2020-6408 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15980 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6403 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6517 critical 9.5 Heap buffer overflow in history in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6404 critical 9.5 multiple issues in chromium archdebian
CVE-2020-16008 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15981 critical 9.5 multiple issues in chromium archdebian
CVE-2020-28039 critical 9.5 is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. archdebian
CVE-2020-6397 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15984 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6401 critical 9.5 multiple issues in chromium archdebian
CVE-2020-12395 critical 9.5 Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enoug… archdebian
CVE-2020-6399 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6794 critical 9.5 If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was no… archdebian
CVE-2020-6400 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6557 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6396 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6071 critical 9.5 An exploitable denial-of-service vulnerability exists in the resource record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing compressed labels in mDNS messages, the compression poi… archdebian