CVEs from 2020
Total
4,160
critical
critical 193
high
high 470
medium
medium 675
low
low 56
% Critical
4.6%
% with KEV
3.5%
% with exploit
3.6%
Top products
- banking_digital_experience 30
- retail_xstore_point_of_service 28
- primavera_unifier 27
- retail_service_backbone 15
- financial_services_institutional_performance_analytics 10
- communications_network_charging_and_control 10
- communications_contacts_server 9
- agile_plm 8
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2020-7247 | critical | — | 10.0 | 4y ago | smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session. | |
| CVE-2020-6819 | critical | — | 10.0 | 5y ago | Mozilla Firefox and Thunderbird contain a race condition vulnerability when running the nsDocShell destructor under certain conditions. The race condition creates a use-after-free vulnerability, caus… | |
| CVE-2020-6820 | critical | — | 10.0 | 5y ago | Mozilla Firefox and Thunderbird contain a race condition vulnerability when handling a ReadableStream under certain conditions. The race condition creates a use-after-free vulnerability, causing unsp… | |
| CVE-2020-16009 | critical | — | 10.0 | 6y ago | multiple issues in chromium | |
| CVE-2020-37239 | critical | 9.8 | 9.8 | 12d ago | libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_… | |
| CVE-2020-37228 | critical | 9.8 | 9.8 | 12d ago | iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retr… | |
| CVE-2020-37168 | critical | 9.8 | 9.8 | 15d ago | Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. A… | |
| CVE-2020-37002 | critical | 9.8 | 9.8 | 4mo ago | Ajenti 2.1.36 contains a post-authenticated remote command execution vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/t… | |
| CVE-2020-28271 | critical | 9.8 | 9.8 | 6y ago | Prototype Pollution in deephas | |
| CVE-2020-9546 | critical | 9.8 | 9.8 | 6y ago | jackson-databind mishandles the interaction between serialization gadgets and typing | |
| CVE-2020-6406 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-11524 | critical | — | 9.5 | — | libfreerdp/codec/interleaved.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write. | |
| CVE-2020-26963 | critical | — | 9.5 | — | Repeated calls to the history and location interfaces could have been used to hang the browser. This was addressed by introducing rate-limiting to these API calls. This vulnerability affects Firefox … | |
| CVE-2020-6824 | critical | — | 9.5 | — | Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Priv… | |
| CVE-2020-8955 | critical | — | 9.5 | — | irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified othe… | |
| CVE-2020-15968 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6414 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15682 | critical | — | 9.5 | — | When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an o… | |
| CVE-2020-16007 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15978 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6402 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6405 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6416 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6511 | critical | — | 9.5 | — | Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2020-11647 | critical | — | 9.5 | — | In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the BACapp dissector could crash. This was addressed in epan/dissectors/packet-bacapp.c by limiting the amount of recursion. | |
| CVE-2020-6077 | critical | — | 9.5 | — | An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS messages, the implementation does not properly keep track … | |
| CVE-2020-14355 | critical | — | 9.5 | — | Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affe… | |
| CVE-2020-28034 | critical | — | 9.5 | — | WordPress before 5.5.2 allows XSS associated with global variables. | |
| CVE-2020-6382 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6801 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 72. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |
| CVE-2020-28033 | critical | — | 9.5 | — | WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. | |
| CVE-2020-11986 | critical | — | 9.5 | — | To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes the code of the build script to be invoked at load time of the project.… | |
| CVE-2020-6826 | critical | — | 9.5 | — | Mozilla developers Tyson Smith, Bob Clary, and Alexandru Michis reported memory safety bugs present in Firefox 74. Some of these bugs showed evidence of memory corruption and we presume that with eno… | |
| CVE-2020-16006 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-12392 | critical | — | 9.5 | — | The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and past… | |
| CVE-2020-26956 | critical | — | 9.5 | — | In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbir… | |
| CVE-2020-6807 | critical | — | 9.5 | — | When a device was changed while a stream was about to be destroyed, the <code>stream-reinit</code> task may have been executed after the stream was destroyed, causing a use-after-free and a potential… | |
| CVE-2020-16044 | critical | — | 9.5 | — | Use after free in WebRTC in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted SCTP packet. | |
| CVE-2020-6415 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6409 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6410 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6403 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6518 | critical | — | 9.5 | — | Use after free in developer tools in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had convinced the user to use developer tools to potentially exploit heap corruption via a craft… | |
| CVE-2020-6379 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-9760 | critical | — | 9.5 | — | An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affected). When a new IRC message 005 is received with longer nick prefixes, a buffer overflow and possibly a crash can happen when a… | |
| CVE-2020-6387 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6516 | critical | — | 9.5 | — | Policy bypass in CORS in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2020-6810 | critical | — | 9.5 | — | After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the brow… | |
| CVE-2020-26962 | critical | — | 9.5 | — | Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across … | |
| CVE-2020-15970 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-28032 | critical | — | 9.5 | — | WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. | |
| CVE-2020-6792 | critical | — | 9.5 | — | When deriving an identifier for an email message, uninitialized memory was used in addition to the message contents. This vulnerability affects Thunderbird < 68.5. | |
| CVE-2020-6794 | critical | — | 9.5 | — | If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was no… | |
| CVE-2020-15969 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6413 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-28036 | critical | — | 9.5 | — | wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post. | |
| CVE-2020-6408 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6808 | critical | — | 9.5 | — | When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by… | |
| CVE-2020-26959 | critical | — | 9.5 | — | During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerabil… | |
| CVE-2020-26960 | critical | — | 9.5 | — | If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. This vulnerabili… | |
| CVE-2020-28038 | critical | — | 9.5 | — | WordPress before 5.5.2 allows stored XSS via post slugs. | |
| CVE-2020-15989 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6412 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15681 | critical | — | 9.5 | — | When multiple WASM threads had a reference to a module, and were looking up exported functions, one WASM thread could have overwritten another's entry in a shared stub table, resulting in a potential… | |
| CVE-2020-28039 | critical | — | 9.5 | — | is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. | |
| CVE-2020-6806 | critical | — | 9.5 | — | By carefully crafting promise resolutions, it was possible to cause an out-of-bounds read off the end of an array resized during script execution. This could have led to memory corruption and a poten… | |
| CVE-2020-6796 | critical | — | 9.5 | — | A content process could have modified shared memory relating to crash reporting information, crash itself, and cause an out-of-bound write. This could have caused memory corruption and a potentially … | |
| CVE-2020-26968 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these… | |
| CVE-2020-6814 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox and Thunderbird 68.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these co… | |
| CVE-2020-11523 | critical | — | 9.5 | — | libfreerdp/gdi/region.c in FreeRDP versions > 1.0 through 2.0.0-rc4 has an Integer Overflow. | |
| CVE-2020-15680 | critical | — | 9.5 | — | If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed a… | |
| CVE-2020-15683 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enoug… | |
| CVE-2020-15967 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15974 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15976 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6795 | critical | — | 9.5 | — | When processing a message that contains multiple S/MIME signatures, a bug in the MIME processing code caused a null pointer dereference, leading to an unexploitable crash. This vulnerability affects … | |
| CVE-2020-28035 | critical | — | 9.5 | — | WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. | |
| CVE-2020-26967 | critical | — | 9.5 | — | When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This w… | |
| CVE-2020-25125 | critical | — | 9.5 | — | GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD pre… | |
| CVE-2020-28037 | critical | — | 9.5 | — | is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, lea… | |
| CVE-2020-6557 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15987 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-12390 | critical | — | 9.5 | — | Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This vulnerability affects Firefox < 76. | |
| CVE-2020-12396 | critical | — | 9.5 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of thes… | |
| CVE-2020-6798 | critical | — | 9.5 | — | If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly… | |
| CVE-2020-15971 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15984 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15980 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-11521 | critical | — | 9.5 | — | libfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc4 has an Out-of-bounds Write. | |
| CVE-2020-6811 | critical | — | 9.5 | — | The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted … | |
| CVE-2020-6812 | critical | — | 9.5 | — | The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate de… | |
| CVE-2020-15684 | critical | — | 9.5 | — | Mozilla developers reported memory safety bugs present in Firefox 81. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |
| CVE-2020-15981 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6411 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-6528 | critical | — | 9.5 | — | Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |
| CVE-2020-15982 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-15977 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2020-26950 | critical | — | 9.5 | — | In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox … | |
| CVE-2020-12394 | critical | — | 9.5 | — | A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulne… | |
| CVE-2020-12391 | critical | — | 9.5 | — | Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opa… |