CVEs from 2021
Total
4,807
critical
critical 280
high
high 1,018
medium
medium 1,175
low
low 138
% Critical
5.8%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- communications_unified_inventory_management 7
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-22555 | high | — | 10.0 | 8mo ago | Linux Kernel contains a heap out-of-bounds write vulnerability that could allow an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space. | |||
| CVE-2021-43798 | high | — | 10.0 | 2y ago | Grafana contains a path traversal vulnerability that could allow access to local files. | |||
| CVE-2021-3560 | high | — | 10.0 | 3y ago | Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. | |||
| CVE-2021-4034 | high | — | 10.0 | 4y ago | The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights. | |||
| CVE-2021-3156 | high | — | 10.0 | 4y ago | Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation. | |||
| CVE-2021-4102 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |||
| CVE-2021-44228 | critical | — | 10.0 | 5y ago | Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. | |||
| CVE-2021-21220 | high | — | 10.0 | 5y ago | Google Chromium V8 Engine contains an improper input validation vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could af… | |||
| CVE-2021-22205 | critical | — | 10.0 | 5y ago | GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through Exi… | |||
| CVE-2021-41773 | high | — | 10.0 | 5y ago | A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-li… | |||
| CVE-2021-21148 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |||
| CVE-2021-30551 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |||
| CVE-2021-42013 | critical | — | 10.0 | 5y ago | It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Al… | |||
| CVE-2021-39935 | high | — | 9.5 | 4mo ago | GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. | |||
| CVE-2021-30533 | high | — | 9.5 | 4y ago | Google Chromium PopupBlocker contains an insufficient policy enforcement vulnerability that allows a remote attacker to bypass navigation restrictions via a crafted iframe. This vulnerability could a… | |||
| CVE-2021-0920 | high | — | 9.5 | 4y ago | Android kernel contains a race condition, which allows for a use-after-free vulnerability. Exploitation can allow for privilege escalation. | |||
| CVE-2021-40438 | high | — | 9.5 | 5y ago | A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. | |||
| CVE-2021-38003 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine has a bug in JSON.stringify, where the internal TheHole value can leak to script code, causing memory corruption. This vulnerability could affect multiple web browsers that … | |||
| CVE-2021-37975 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |||
| CVE-2021-21206 | high | — | 9.5 | 5y ago | Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |||
| CVE-2021-21224 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to execute code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web … | |||
| CVE-2021-30632 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains an out-of-bounds write vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |||
| CVE-2021-37976 | high | — | 9.5 | 5y ago | Google Chromium contains an information disclosure vulnerability within the core memory component that allows a remote attacker to obtain potentially sensitive information from process memory via a c… | |||
| CVE-2021-30633 | high | — | 9.5 | 5y ago | Google Chromium Indexed DB API contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted H… | |||
| CVE-2021-30563 | high | — | 9.5 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |||
| CVE-2021-21166 | high | — | 9.5 | 5y ago | Google Chromium contains a race condition vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web brow… | |||
| CVE-2021-37973 | high | — | 9.5 | 5y ago | Google Chromium Portals contains a use-after-free vulnerability that allows a remote attacker, who has compromised the renderer process, to potentially perform a sandbox escape via a crafted HTML pag… | |||
| CVE-2021-30554 | high | — | 9.5 | 5y ago | Google Chromium WebGL contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |||
| CVE-2021-21193 | high | — | 9.5 | 5y ago | Google Chromium Blink contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple we… | |||
| CVE-2021-38000 | high | — | 9.5 | 5y ago | Google Chromium Intents contains an improper input validation vulnerability that allows a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. This vulnerability could a… | |||
| CVE-2021-39226 | high | — | 9.5 | 5y ago | Grafana contains an authentication bypass vulnerability that allows authenticated and unauthenticated users to view and delete all snapshot data, potentially resulting in complete snapshot data loss. | |||
| CVE-2021-22204 | medium | — | 8.0 | 5y ago | Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image | |||
| CVE-2021-30952 | medium | — | 7.0 | 3mo ago | Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code executio… | |||
| CVE-2021-1789 | medium | — | 7.0 | 4y ago | A type confusion issue affecting multiple Apple products allows processing of maliciously crafted web content, leading to arbitrary code execution. | |||
| CVE-2021-30666 | medium | — | 7.0 | 5y ago | Apple iOS WebKit contains a buffer-overflow vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, i… | |||
| CVE-2021-30761 | medium | — | 7.0 | 5y ago | Apple iOS WebKit contains a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit,… | |||
| CVE-2021-30665 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, macOS, watchOS, and tvOS WebKit contain a memory corruption vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could imp… | |||
| CVE-2021-30661 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, macOS, tvOS, watchOS, and Safari WebKit Storage contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerabil… | |||
| CVE-2021-30762 | medium | — | 7.0 | 5y ago | Apple iOS WebKit contains a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers that use WebKit, in… | |||
| CVE-2021-30663 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, macOS, tvOS, and Safari WebKit contain an integer overflow vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impa… | |||
| CVE-2021-30858 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, and macOS WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers t… | |||
| CVE-2021-1871 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, and macOS WebKit contain an unspecified logic vulnerability that allows a remote attacker to execute code. This vulnerability could impact HTML parsers that use WebKit, including b… | |||
| CVE-2021-1870 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, and macOS WebKit contain an unspecified logic vulnerability that allows a remote attacker to execute code. This vulnerability could impact HTML parsers that use WebKit, including b… | |||
| CVE-2021-26086 | unknown | — | 2.5 | 2y ago | Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint. | |||
| CVE-2021-44529 | unknown | — | 2.5 | 2y ago | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody). | |||
| CVE-2021-27876 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Ag… | |||
| CVE-2021-27878 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine. | |||
| CVE-2021-27877 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. | |||
| CVE-2021-35587 | unknown | — | 2.5 | 4y ago | Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. | |||
| CVE-2021-3493 | unknown | — | 2.5 | 4y ago | The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. | |||
| CVE-2021-31166 | unknown | — | 2.5 | 4y ago | Microsoft HTTP Protocol Stack contains a vulnerability in http.sys that allows for remote code execution. | |||
| CVE-2021-21551 | unknown | — | 2.5 | 4y ago | Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure. | |||
| CVE-2021-26085 | unknown | — | 2.5 | 4y ago | Affected versions of Atlassian Confluence Server allow remote attackers to view restricted resources via a pre-authorization arbitrary file read vulnerability in the /s/ endpoint. | |||
| CVE-2021-42237 | unknown | — | 2.5 | 4y ago | Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution. | |||
| CVE-2021-36934 | unknown | — | 2.5 | 4y ago | If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level. | |||
| CVE-2021-25297 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-25298 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-25296 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-21975 | unknown | — | 2.5 | 4y ago | Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to s… | |||
| CVE-2021-36260 | unknown | — | 2.5 | 5y ago | A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation. | |||
| CVE-2021-45046 | unknown | — | 2.5 | 5y ago | Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in… | |||
| CVE-2021-44077 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution | |||
| CVE-2021-42321 | unknown | — | 2.5 | 5y ago | An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution. | |||
| CVE-2021-40449 | unknown | — | 2.5 | 5y ago | Unspecified vulnerability allows for an authenticated user to escalate privileges. | |||
| CVE-2021-31207 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass. | |||
| CVE-2021-30657 | unknown | — | 2.5 | 5y ago | Apple macOS contains an unspecified logic issue in System Preferences that may allow a malicious application to bypass Gatekeeper checks. | |||
| CVE-2021-1675 | unknown | — | 2.5 | 5y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-34527 | unknown | — | 2.5 | 5y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation allows an atta… | |||
| CVE-2021-27065 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-34473 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-1732 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-1498 | unknown | — | 2.5 | 5y ago | Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. | |||
| CVE-2021-36942 | unknown | — | 2.5 | 5y ago | Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability allowing an unauthenticated attacker to call a method on the LSARPC interface and coerce the domain controller to au… | |||
| CVE-2021-40444 | unknown | — | 2.5 | 5y ago | Microsoft MSHTML contains a unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-38648 | unknown | — | 2.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation. | |||
| CVE-2021-21985 | unknown | — | 2.5 | 5y ago | VMware vSphere Client contains an improper input validation vulnerability in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server, which allows for remote code executio… | |||
| CVE-2021-21972 | unknown | — | 2.5 | 5y ago | VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network access to port 443 to execute commands with unrest… | |||
| CVE-2021-22005 | unknown | — | 2.5 | 5y ago | VMware vCenter Server contains a file upload vulnerability in the Analytics service that allows a user with network access to port 443 to execute code. | |||
| CVE-2021-40539 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution. | |||
| CVE-2021-1497 | unknown | — | 2.5 | 5y ago | Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user. | |||
| CVE-2021-22986 | unknown | — | 2.5 | 5y ago | F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system co… | |||
| CVE-2021-35464 | unknown | — | 2.5 | 5y ago | ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFram… | |||
| CVE-2021-34523 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-42258 | unknown | — | 2.5 | 5y ago | BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution. | |||
| CVE-2021-38647 | unknown | — | 2.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution. | |||
| CVE-2021-26084 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code. | |||
| CVE-2021-22502 | unknown | — | 2.5 | 5y ago | Micro Focus Operation Bridge Report (OBR) contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-26855 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-39144 | unknown | — | 2.5 | 5y ago | XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command o… | |||
| CVE-2021-3129 | unknown | — | 2.5 | 5y ago | Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents(). | |||
| CVE-2021-22054 | unknown | — | 1.5 | 3mo ago | Omnissa Workspace One UEM formerly known as VMware Workspace One UEM contains a server-side request forgery (SSRF) vulnerability that could allow a malicious actor with network access to UEM to send … | |||
| CVE-2021-22681 | unknown | — | 1.5 | 3mo ago | Multiple Rockwell products contain an insufficient protected credentials vulnerability. Studio 5000 Logix Designer software may allow a key to be discovered. This key is used to verify Logix controll… | |||
| CVE-2021-22175 | unknown | — | 1.5 | 4mo ago | GitLab contains a server-side request forgery (SSRF) vulnerability when requests to the internal network for webhooks are enabled. | |||
| CVE-2021-26828 | unknown | — | 1.5 | 6mo ago | OpenPLC ScadaBR contains an unrestricted upload of file with dangerous type vulnerability that allows remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. | |||
| CVE-2021-26829 | unknown | — | 1.5 | 6mo ago | OpenPLC ScadaBR contains a cross-site scripting vulnerability via system_settings.shtm. | |||
| CVE-2021-43226 | unknown | — | 1.5 | 8mo ago | Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms. | |||
| CVE-2021-32030 | unknown | — | 1.5 | 1y ago | ASUS Lyra Mini and ASUS GT-AC2900 devices contain an improper authentication vulnerability that allows an attacker to gain unauthorized access to the administrative interface. The impacted products c… | |||
| CVE-2021-20035 | unknown | — | 1.5 | 1y ago | SonicWall SMA100 appliances contain an OS command injection vulnerability in the management interface that allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, whic… | |||
| CVE-2021-44207 | unknown | — | 1.5 | 2y ago | Acclaim Systems USAHERDS contains a hard-coded credentials vulnerability that could allow an attacker to achieve remote code execution on the system that runs the application. The MachineKey must be … | |||
| CVE-2021-40407 | unknown | — | 1.5 | 2y ago | Reolink RLC-410W IP cameras contain an authenticated OS command injection vulnerability in the device network settings functionality. |