VIR Vulnerability Intelligence Relay

CVEs from 2020

4,160 normalized CVEs published or assigned in this year.

Total
4,160
critical
critical 193
high
high 470
medium
medium 675
low
low 56
% Critical
4.6%
% with KEV
3.5%
% with exploit
3.6%

Top vendors

Top products

  • banking_digital_experience 30
  • retail_xstore_point_of_service 28
  • primavera_unifier 27
  • retail_service_backbone 15
  • financial_services_institutional_performance_analytics 10
  • communications_network_charging_and_control 10
  • communications_contacts_server 9
  • agile_plm 8

Top packages

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Published Description Impact
CVE-2020-7247 critical 10.0 4y ago smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session. archdebian
CVE-2020-6819 critical 10.0 5y ago Mozilla Firefox and Thunderbird contain a race condition vulnerability when running the nsDocShell destructor under certain conditions. The race condition creates a use-after-free vulnerability, caus… archsusedebian
CVE-2020-6820 critical 10.0 5y ago Mozilla Firefox and Thunderbird contain a race condition vulnerability when handling a ReadableStream under certain conditions. The race condition creates a use-after-free vulnerability, causing unsp… archsusedebian
CVE-2020-16009 critical 10.0 6y ago multiple issues in chromium archdebiannuget
CVE-2020-37239 critical 9.8 9.8 12d ago libbabl 0.1.62 contains a broken double free detection vulnerability that allows attackers to bypass memory safety checks by exploiting signature overwriting in freed chunks. Attackers can call babl_…
CVE-2020-37228 critical 9.8 9.8 12d ago iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object. Attackers can retr…
CVE-2020-37168 critical 9.8 9.8 15d ago Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. A…
CVE-2020-37002 critical 9.8 9.8 4mo ago Ajenti 2.1.36 contains a post-authenticated remote command execution vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/t…
CVE-2020-28271 critical 9.8 9.8 6y ago Prototype Pollution in deephas npm
CVE-2020-9546 critical 9.8 9.8 6y ago jackson-databind mishandles the interaction between serialization gadgets and typing debianrockylinuxjavaoracle
CVE-2020-12395 critical 9.5 Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enoug… archdebian
CVE-2020-6808 critical 9.5 When a JavaScript URL (javascript:) is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL (as reported by… archsusedebian
CVE-2020-6823 critical 9.5 A malicious extension could have called <code>browser.identity.launchWebAuthFlow</code>, controlling the redirect_uri, and through the Promise returned, obtain the Auth code and gain access to the us… archsusedebian
CVE-2020-28032 critical 9.5 WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. archdebian
CVE-2020-28034 critical 9.5 WordPress before 5.5.2 allows XSS associated with global variables. archdebian
CVE-2020-28039 critical 9.5 is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. archdebian
CVE-2020-6535 critical 9.5 Insufficient data validation in WebUI in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had compromised the renderer process to inject scripts or HTML into a privileged page via a … archdebian
CVE-2020-6379 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6528 critical 9.5 Incorrect security UI in basic auth in Google Chrome on iOS prior to 84.0.4147.89 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. archdebian
CVE-2020-25125 critical 9.5 GnuPG 2.2.21 and 2.2.22 (and Gpg4win 3.1.12) has an array overflow, leading to a crash or possibly unspecified other impact, when a victim imports an attacker's OpenPGP key, and this key has AEAD pre… archdebian
CVE-2020-6380 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6408 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6526 critical 9.5 Inappropriate implementation in iframe sandbox in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. archdebian
CVE-2020-15975 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15985 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6515 critical 9.5 Use after free in tab strip in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6404 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6416 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6510 critical 9.5 Heap buffer overflow in background fetch in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6517 critical 9.5 Heap buffer overflow in history in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6413 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15967 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6522 critical 9.5 Inappropriate implementation in external protocol handlers in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. archdebian
CVE-2020-6378 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6073 critical 9.5 An exploitable denial-of-service vulnerability exists in the TXT record-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing the RDATA section in a TXT record in mDNS messages, multiple… archdebian
CVE-2020-6398 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6399 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6391 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6392 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15991 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6381 critical 9.5 multiple issues in chromium archdebian
CVE-2020-16004 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6405 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6406 critical 9.5 multiple issues in chromium archdebian
CVE-2020-9760 critical 9.5 An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affected). When a new IRC message 005 is received with longer nick prefixes, a buffer overflow and possibly a crash can happen when a… archdebian
CVE-2020-15990 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6410 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15971 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15972 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6402 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6518 critical 9.5 Use after free in developer tools in Google Chrome prior to 84.0.4147.89 allowed a remote attacker who had convinced the user to use developer tools to potentially exploit heap corruption via a craft… archdebian
CVE-2020-6525 critical 9.5 Heap buffer overflow in Skia in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-16008 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6527 critical 9.5 Insufficient policy enforcement in CSP in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to bypass content security policy via a crafted HTML page. archdebian
CVE-2020-6824 critical 9.5 Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Priv… archsusedebian
CVE-2020-6512 critical 9.5 Type Confusion in V8 in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. archdebian
CVE-2020-6511 critical 9.5 Information leak in content security policy in Google Chrome prior to 84.0.4147.89 allowed a remote attacker to leak cross-origin data via a crafted HTML page. archdebian
CVE-2020-15992 critical 9.5 multiple issues in chromium archdebian
CVE-2020-26958 critical 9.5 Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerabili… archsusedebian
CVE-2020-12390 critical 9.5 Incorrect origin serialization of URLs with IPv6 addresses could lead to incorrect security checks. This vulnerability affects Firefox < 76. archdebian
CVE-2020-15977 critical 9.5 multiple issues in chromium archdebian
CVE-2020-12396 critical 9.5 Mozilla developers and community members reported memory safety bugs present in Firefox 75. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of thes… archdebian
CVE-2020-6395 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15981 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15986 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6403 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6412 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6397 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15982 critical 9.5 multiple issues in chromium archdebian
CVE-2020-26959 critical 9.5 During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerabil… archsusedebian
CVE-2020-15968 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15980 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6396 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6529 critical 9.5 Inappropriate implementation in WebRTC in Google Chrome prior to 84.0.4147.89 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. archdebian
CVE-2020-15973 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15988 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15970 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6800 critical 9.5 Mozilla developers and community members reported memory safety bugs present in Firefox 72 and Firefox ESR 68.4. Some of these bugs showed evidence of memory corruption and we presume that with enoug… archsusedebian
CVE-2020-26951 critical 9.5 A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privilege… archsusedebian
CVE-2020-6389 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6388 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15978 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6415 critical 9.5 multiple issues in chromium archdebian
CVE-2020-28040 critical 9.5 WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. archdebian
CVE-2020-16005 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6401 critical 9.5 multiple issues in chromium archdebian
CVE-2020-26961 critical 9.5 When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped… archsusedebian
CVE-2020-6077 critical 9.5 An exploitable denial-of-service vulnerability exists in the message-parsing functionality of Videolabs libmicrodns 0.1.0. When parsing mDNS messages, the implementation does not properly keep track … archdebian
CVE-2020-8955 critical 9.5 irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified othe… archdebian
CVE-2020-16006 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6393 critical 9.5 multiple issues in chromium archdebian
CVE-2020-15969 critical 9.5 multiple issues in chromium archdebiansuse
CVE-2020-6414 critical 9.5 multiple issues in chromium archdebian
CVE-2020-26950 critical 9.5 In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox … archsusedebian
CVE-2020-15984 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6812 critical 9.5 The first time AirPods are connected to an iPhone, they become named after the user's name by default (e.g. Jane Doe's AirPods.) Websites with camera or microphone permission are able to enumerate de… archsusedebian
CVE-2020-6810 critical 9.5 After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the brow… archsusedebian
CVE-2020-16007 critical 9.5 multiple issues in chromium archdebian
CVE-2020-6811 critical 9.5 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted … archsusedebian
CVE-2020-6394 critical 9.5 multiple issues in chromium archdebian