CVEs from 2021
Total
4,786
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-47980 | high | 7.1 | 7.1 | 22d ago | Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log i… | |||
| CVE-2021-4090 | high | 7.1 | 7.1 | 4y ago | An out-of-bounds (OOB) memory write flaw was found in the NFSD in the Linux kernel. Missing sanity may lead to a write beyond bmval[bmlen-1] in nfsd4_decode_bitmap4 in fs/nfsd/nfs4xdr.c. In this flaw… | |||
| CVE-2021-36133 | high | 7.1 | 7.1 | 5y ago | The OPTEE-OS CSU driver for NXP i.MX SoC devices lacks security access configuration for several models, resulting in TrustZone bypass because the NonSecure World can perform arbitrary memory read/wr… | |||
| CVE-2021-30952 | medium | — | 7.0 | 3mo ago | An integer overflow was addressed with improved input validation. This issue is fixed in tvOS 15.2, macOS Monterey 12.1, Safari 15.2, iOS 15.2 and iPadOS 15.2, watchOS 8.3. Processing maliciously cra… | |||
| CVE-2021-1789 | medium | — | 7.0 | 4y ago | A type confusion issue was addressed with improved state handling. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.… | |||
| CVE-2021-30665 | medium | — | 7.0 | 5y ago | A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing mal… | |||
| CVE-2021-30666 | medium | — | 7.0 | 5y ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 12.5.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware… | |||
| CVE-2021-1871 | medium | — | 7.0 | 5y ago | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remo… | |||
| CVE-2021-30858 | medium | — | 7.0 | 5y ago | A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbit… | |||
| CVE-2021-1870 | medium | — | 7.0 | 5y ago | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remo… | |||
| CVE-2021-30661 | medium | — | 7.0 | 5y ago | A use after free issue was addressed with improved memory management. This issue is fixed in Safari 14.1, iOS 12.5.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5, macOS Big Sur 11.3. Processing … | |||
| CVE-2021-30663 | medium | — | 7.0 | 5y ago | An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing malicious… | |||
| CVE-2021-30761 | medium | — | 7.0 | 5y ago | A memory corruption issue was addressed with improved state management. This issue is fixed in iOS 12.5.4. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aw… | |||
| CVE-2021-30762 | medium | — | 7.0 | 5y ago | A use after free issue was addressed with improved memory management. This issue is fixed in iOS 12.5.4. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is awar… | |||
| CVE-2021-27562 | medium | 5.5 | 7.0 | 5y ago | In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mod… | |||
| CVE-2021-41617 | high | 7.0 | 7.0 | 5y ago | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs … | |||
| CVE-2021-21508 | medium | 6.7 | 6.7 | 16d ago | Dell VxRail versions before 7.0.200 contain a Plain-text Password Storage Vulnerability in VxRail Manager. A sys-admin user may exploit this vulnerability, leading to the disclosure of certain user c… | |||
| CVE-2021-44832 | medium | 6.6 | 6.6 | 5y ago | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender wit… | |||
| CVE-2021-29447 | medium | — | 6.5 | — | Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress install… | |||
| CVE-2021-3490 | medium | — | 6.5 | — | The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kern… | |||
| CVE-2021-36438 | medium | 6.5 | 6.5 | 1mo ago | SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. | |||
| CVE-2021-47960 | medium | 6.5 | 6.5 | 2mo ago | A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local … | |||
| CVE-2021-45478 | medium | 6.5 | 6.5 | 3y ago | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: bef… | |||
| CVE-2021-45477 | medium | 6.5 | 6.5 | 3y ago | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: bef… | |||
| CVE-2021-1721 | medium | 6.5 | 6.5 | 4y ago | RHSA-2021:0476: dotnet5.0 security and bugfix update (Important) | |||
| CVE-2021-42293 | medium | 6.5 | 6.5 | 5y ago | Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | |||
| CVE-2021-31807 | medium | — | 6.5 | 5y ago | RHSA-2021:4292: squid:4 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-31806 | medium | — | 6.5 | 5y ago | RHSA-2021:4292: squid:4 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-22791 | medium | 6.5 | 6.5 | 5y ago | A CWE-787: Out-of-bounds Write vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project f… | |||
| CVE-2021-22790 | medium | 6.5 | 6.5 | 5y ago | A CWE-125: Out-of-bounds Read vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project fi… | |||
| CVE-2021-22789 | medium | 6.5 | 6.5 | 5y ago | A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the contr… | |||
| CVE-2021-21735 | medium | 6.5 | 6.5 | 5y ago | A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user inf… | |||
| CVE-2021-47957 | medium | 6.4 | 6.4 | 22d ago | Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Att… | |||
| CVE-2021-47968 | medium | 6.4 | 6.4 | 23d ago | Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description p… | |||
| CVE-2021-47962 | medium | 6.4 | 6.4 | 23d ago | Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers… | |||
| CVE-2021-47951 | medium | 6.4 | 6.4 | 28d ago | WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access C… | |||
| CVE-2021-47950 | medium | 6.4 | 6.4 | 28d ago | Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulati… | |||
| CVE-2021-47947 | medium | 6.4 | 6.4 | 28d ago | Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edi… | |||
| CVE-2021-47931 | medium | 6.4 | 6.4 | 28d ago | Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing e… | |||
| CVE-2021-47929 | medium | 6.4 | 6.4 | 28d ago | Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attac… | |||
| CVE-2021-47927 | medium | 6.4 | 6.4 | 28d ago | WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization … | |||
| CVE-2021-47926 | medium | 6.4 | 6.4 | 28d ago | Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name f… | |||
| CVE-2021-47925 | medium | 6.4 | 6.4 | 28d ago | CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file uplo… | |||
| CVE-2021-47924 | medium | 6.4 | 6.4 | 28d ago | Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit… | |||
| CVE-2021-47922 | medium | 6.4 | 6.4 | 28d ago | Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScrip… | |||
| CVE-2021-47910 | medium | 6.4 | 6.4 | 28d ago | AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon titl… | |||
| CVE-2021-47907 | medium | 6.4 | 6.4 | 28d ago | Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attac… | |||
| CVE-2021-47978 | medium | 6.2 | 6.2 | 22d ago | ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send req… | |||
| CVE-2021-47967 | medium | 6.1 | 6.1 | 23d ago | PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers … | |||
| CVE-2021-47836 | medium | 6.1 | 6.1 | 5mo ago | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with e… | |||
| CVE-2021-4195 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows XSS Targeting HTML Attributes. … | |||
| CVE-2021-44197 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Informa… | |||
| CVE-2021-44196 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Informa… | |||
| CVE-2021-40327 | medium | 5.9 | 5.9 | 5y ago | Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incorrect access control. NSPE can access a secure key (held by the Crypto service) based solely on knowledge of its key ID. For examp… | |||
| CVE-2021-45105 | medium | 5.9 | 5.9 | 5y ago | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thre… | |||
| CVE-2021-28511 | medium | 5.8 | 5.8 | 4y ago | This advisory documents the impact of an internally found vulnerability in Arista EOS for security ACL bypass. The impact of this vulnerability is that the security ACL drop rule might be bypassed if… | |||
| CVE-2021-23959 | medium | — | 5.5 | — | An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating sys… | |||
| CVE-2021-29993 | medium | — | 5.5 | — | Firefox for Android allowed navigations through the `intent://` protocol, which could be used to cause crashes and UI spoofs. *This bug only affects Firefox for Android. Other operating systems are u… | |||
| CVE-2021-22564 | medium | — | 5.5 | — | For certain valid JPEG XL images with a size slightly larger than an integer number of groups (256x256 pixels) when processing the groups out of order the decoder can perform an out of bounds copy of… | |||
| CVE-2021-1093 | medium | — | 5.5 | — | multiple issues in nvidia-utils | |||
| CVE-2021-44847 | medium | — | 5.5 | — | A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received ne… | |||
| CVE-2021-43398 | medium | — | 5.5 | — | private key recovery in crypto++ | |||
| CVE-2021-3624 | medium | — | 5.5 | — | There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system. | |||
| CVE-2021-23158 | medium | — | 5.5 | — | A flaw was found in htmldoc in v1.9.12. Double-free in function pspdf_export(),in ps-pdf.cxx may result in a write-what-where condition, allowing an attacker to execute arbitrary code and denial of s… | |||
| CVE-2021-1076 | medium | — | 5.5 | — | NVIDIA GPU Display Driver for Windows and Linux, all versions, contains a vulnerability in the kernel mode layer (nvlddmkm.sys or nvidia.ko) where improper access control may lead to denial of servic… | |||
| CVE-2021-23165 | medium | — | 5.5 | — | A flaw was found in htmldoc before v1.9.12. Heap buffer overflow in pspdf_prepare_outpages(), in ps-pdf.cxx may lead to execute arbitrary code and denial of service. | |||
| CVE-2021-26948 | medium | — | 5.5 | — | Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file. | |||
| CVE-2021-21858 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |||
| CVE-2021-29450 | medium | — | 5.5 | — | Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. Th… | |||
| CVE-2021-39200 | medium | — | 5.5 | — | WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions output data of the function wp_die() can be leaked under… | |||
| CVE-2021-41055 | medium | — | 5.5 | — | Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID … | |||
| CVE-2021-3403 | medium | — | 5.5 | — | In ytnef 1.9.3, the TNEFSubjectHandler function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a double free which can be triggered via a … | |||
| CVE-2021-3404 | medium | — | 5.5 | — | In ytnef 1.9.3, the SwapWord function in lib/ytnef.c allows remote attackers to cause a denial-of-service (and potentially code execution) due to a heap buffer overflow which can be triggered via a c… | |||
| CVE-2021-20244 | medium | — | 5.5 | — | A flaw was found in ImageMagick in MagickCore/visual-effects.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division b… | |||
| CVE-2021-30580 | medium | — | 5.5 | — | Insufficient policy enforcement in Android intents in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious application to obtain potentially sensitive … | |||
| CVE-2021-23957 | medium | — | 5.5 | — | Navigations through the Android-specific `intent` URL scheme could have been misused to escape iframe sandbox. Note: This issue only affected Firefox for Android. Other operating systems are unaffect… | |||
| CVE-2021-1095 | medium | — | 5.5 | — | multiple issues in nvidia-utils | |||
| CVE-2021-27927 | medium | — | 5.5 | — | In Zabbix from 4.0.x before 4.0.28rc1, 5.0.0alpha1 before 5.0.10rc1, 5.2.x before 5.2.6rc1, and 5.4.0alpha1 before 5.4.0beta2, the CControllerAuthenticationUpdate controller lacks a CSRF protection m… | |||
| CVE-2021-30184 | medium | — | 5.5 | — | GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted PGN (Portable Game Notation) data. This is related to a buffer overflow in the use of a .tmp.epd temporary file in the cmd_pgnlo… | |||
| CVE-2021-32132 | medium | — | 5.5 | — | The abst_box_size function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |||
| CVE-2021-36584 | medium | — | 5.5 | — | An issue was discovered in GPAC 1.0.1. There is a heap-based buffer overflow in the function gp_rtp_builder_do_tx3g function in ietf/rtp_pck_3gpp.c, as demonstrated by MP4Box. This can cause a denial… | |||
| CVE-2021-32492 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds read in function DJVU::DataPool::has_data() via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-44542 | medium | — | 5.5 | — | A memory leak vulnerability was found in Privoxy when handling errors. | |||
| CVE-2021-32439 | medium | — | 5.5 | — | Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |||
| CVE-2021-33363 | medium | — | 5.5 | — | Memory leak in the infe_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file. | |||
| CVE-2021-32294 | medium | — | 5.5 | — | An issue was discovered in libgig through 20200507. A heap-buffer-overflow exists in the function RIFF::List::GetSubList located in RIFF.cpp. It allows an attacker to cause code Execution. | |||
| CVE-2021-43518 | medium | — | 5.5 | — | Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. A map parser does not validate m_Channels value coming from a map file, leading to a buffer overflow. A malicious server may offe… | |||
| CVE-2021-31254 | medium | — | 5.5 | — | Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file, related invalid IV sizes. | |||
| CVE-2021-21859 | medium | — | 5.5 | — | An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when process… | |||
| CVE-2021-21861 | medium | — | 5.5 | — | An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a speci… | |||
| CVE-2021-21846 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in “stsz”… | |||
| CVE-2021-21838 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |||
| CVE-2021-30152 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.13 and 1.32.x through 1.35.x before 1.35.2. When using the MediaWiki API to "protect" a page, a user is currently able to protect to a higher level th… | |||
| CVE-2021-28899 | medium | — | 5.5 | — | multiple issues in live-media | |||
| CVE-2021-3195 | medium | — | 5.5 | — | multiple issues in bitcoin-daemon | |||
| CVE-2021-31876 | medium | — | 5.5 | — | multiple issues in bitcoin-daemon | |||
| CVE-2021-30027 | medium | — | 5.5 | — | md_analyze_line in md4c.c in md4c 0.4.7 allows attackers to trigger use of uninitialized memory, and cause a denial of service via a malformed Markdown document. | |||
| CVE-2021-22186 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-44974 | medium | — | 5.5 | — | radareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereference via libr/bin/p/bin_symbols.c binary symbol parser. | |||
| CVE-2021-36081 | medium | — | 5.5 | — | Tesseract OCR 5.0.0-alpha-20201231 has a one_ell_conflict use-after-free during a strpbrk call. |