CVEs from 2021
Total
4,786
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-29040 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages | |||
| CVE-2021-29041 | unknown | — | — | 4y ago | Liferay DXP Vulnerable to Denial-of-service (DoS) in the Multi-Factor Authentication Module | |||
| CVE-2021-29047 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Fails to Invalidate CAPTCHA Answers After Use | |||
| CVE-2021-22137 | unknown | — | — | 4y ago | Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch | |||
| CVE-2021-21646 | unknown | — | — | 4y ago | Remote code execution vulnerability in Jenkins Templating Engine Plugin | |||
| CVE-2021-21642 | unknown | — | — | 4y ago | XML External Entity Reference vulnerability in Jenkins Config File Provider Plugin | |||
| CVE-2021-21643 | unknown | — | — | 4y ago | Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs | |||
| CVE-2021-21647 | unknown | — | — | 4y ago | Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds | |||
| CVE-2021-21645 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs | |||
| CVE-2021-21644 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files | |||
| CVE-2021-22510 | unknown | — | — | 4y ago | Reflected XSS vulnerability in Jenkins Micro Focus Application Automation Tools Plugin | |||
| CVE-2021-22513 | unknown | — | — | 4y ago | Missing permission checks in Micro Focus Application Automation Tools Plugin | |||
| CVE-2021-22512 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Micro Focus Application Automation Tools Plugin | |||
| CVE-2021-22511 | unknown | — | — | 4y ago | SSL/TLS certificate validation unconditionally disabled by Jenkins Micro Focus Application Automation Tools Plugin | |||
| CVE-2021-21641 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins promoted builds Plugin | |||
| CVE-2021-21634 | unknown | — | — | 4y ago | Passwords stored in plain text by Jenkins Jabber (XMPP) notifier and control Plugin | |||
| CVE-2021-21632 | unknown | — | — | 4y ago | Missing permission checks in Jenkins OWASP Dependency-Track Plugin allow capturing credentials | |||
| CVE-2021-21636 | unknown | — | — | 4y ago | Missing permission check in Jenkins Team Foundation Server Plugin allows enumerating credentials IDs | |||
| CVE-2021-21637 | unknown | — | — | 4y ago | Missing permission check in Jenkins Team Foundation Server Plugin allow capturing credentials | |||
| CVE-2021-21635 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins REST List Parameter Plugin | |||
| CVE-2021-21633 | unknown | — | — | 4y ago | CSRF vulnerability and in Jenkins OWASP Dependency-Track Plugin allow capturing credentials | |||
| CVE-2021-21631 | unknown | — | — | 4y ago | Missing permission check in Jenkins Cloud Statistics Plugin | |||
| CVE-2021-21628 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Build With Parameters Plugin | |||
| CVE-2021-21630 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Extra Columns Plugin | |||
| CVE-2021-21629 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Build With Parameters Plugin | |||
| CVE-2021-21624 | unknown | — | — | 4y ago | Incorrect permission checks in Jenkins Role-based Authorization Strategy Plugin may allow accessing some items | |||
| CVE-2021-21626 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents | |||
| CVE-2021-21627 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Libvirt Agents Plugin | |||
| CVE-2021-21625 | unknown | — | — | 4y ago | Missing permission checks in Jenkins CloudBees AWS Credentials Plugin allows enumerating credentials IDs | |||
| CVE-2021-21623 | unknown | — | — | 4y ago | Incorrect permission checks in Jenkins Matrix Authorization Strategy Plugin may allow accessing some items | |||
| CVE-2021-20218 | unknown | — | — | 4y ago | Improper Limitation of a Pathname to a Restricted Directory in Fabric8 Kubernetes Client | |||
| CVE-2021-21622 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Artifact Repository Parameter Plugin | |||
| CVE-2021-21616 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Active Choices Plugin | |||
| CVE-2021-21619 | unknown | — | — | 4y ago | XSS vulnerability in Jenkins Claim Plugin | |||
| CVE-2021-21621 | unknown | — | — | 4y ago | Support bundles can include user session IDs in Jenkins Support Core Plugin | |||
| CVE-2021-21617 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Configuration Slicing Plugin | |||
| CVE-2021-21618 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Repository Connector Plugin | |||
| CVE-2021-3396 | unknown | — | — | 4y ago | OpenNMS Horizon RCE via JEXL2 expression | |||
| CVE-2021-0341 | unknown | — | — | 4y ago | Square OkHttp can accept the wrong certificate | |||
| CVE-2021-21613 | unknown | — | — | 4y ago | XSS vulnerability in Jenkins TICS Plugin | |||
| CVE-2021-21614 | unknown | — | — | 4y ago | Credentials stored in plain text by Jenkins Bumblebee HP ALM Plugin | |||
| CVE-2021-21612 | unknown | — | — | 4y ago | Credentials stored in plain text by Jenkins TraceTronic ECU-TEST Plugin | |||
| CVE-2021-23267 | unknown | — | — | 4y ago | Crafter CMS Crafter Studio vulnerable to Improper Control of Dynamically-Managed Code Resources | |||
| CVE-2021-23266 | unknown | — | — | 4y ago | Log value insertion in craftercms | |||
| CVE-2021-23265 | unknown | — | — | 4y ago | Improper Privilege Management in craftercms | |||
| CVE-2021-23792 | unknown | — | — | 4y ago | External Entity Reference in TwelveMonkeys ImageIO | |||
| CVE-2021-40822 | unknown | — | — | 4y ago | GeoServer allows SSRF via the option for setting a proxy host | |||
| CVE-2021-3503 | unknown | — | — | 4y ago | Metrics exposure in Wildfly | |||
| CVE-2021-31805 | unknown | — | — | 4y ago | Expression Language Injection in Apache Struts | |||
| CVE-2021-44138 | unknown | — | — | 4y ago | Path Traversal in Caucho Resin | |||
| CVE-2021-43142 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in wutka jox | |||
| CVE-2021-43090 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in soa-model | |||
| CVE-2021-20323 | unknown | — | — | 4y ago | Cross-site Scripting in Keycloak | |||
| CVE-2021-30180 | unknown | — | — | 4y ago | Code injection in Apache Dubbo | |||
| CVE-2021-30179 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache Dubbo | |||
| CVE-2021-30181 | unknown | — | — | 4y ago | Code injection in Apache Dubbo | |||
| CVE-2021-25640 | unknown | — | — | 4y ago | Server-Side Request Forgery in Apache Dubbo | |||
| CVE-2021-25641 | unknown | — | — | 4y ago | Deserializer tampering in Apache Dubbo | |||
| CVE-2021-30638 | unknown | — | — | 4y ago | Information Exposure in Apache Tapestry | |||
| CVE-2021-21655 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins P4 Plugin | |||
| CVE-2021-21656 | unknown | — | — | 4y ago | XML external entity (XXE) attacks in Jenkins Xcode integration Plugin | |||
| CVE-2021-23901 | unknown | — | — | 4y ago | XML external entity (XXE) injection in Apache Nutch | |||
| CVE-2021-22114 | unknown | — | — | 4y ago | Path Traversal in Spring-integration-zip | |||
| CVE-2021-44667 | unknown | — | — | 4y ago | Cross-site Scripting in Nacos | |||
| CVE-2021-38296 | unknown | — | — | 4y ago | Authentication Bypass by Capture-replay in Apache Spark | |||
| CVE-2021-44585 | unknown | — | — | 4y ago | Cross-site Scripting in jeecg-boot | |||
| CVE-2021-46384 | unknown | — | — | 4y ago | Remote code execution in net.mingsoft:ms-mcms | |||
| CVE-2021-38266 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP fails to properly import users from LDAP | |||
| CVE-2021-3654 | unknown | — | — | 4y ago | A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. | |||
| CVE-2021-38263 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP cross-site scripting (XSS) vulnerability via the script console | |||
| CVE-2021-38264 | unknown | — | — | 4y ago | Liferay Portal vulnerable to cross-site scripting (XSS) via the keywords parameter | |||
| CVE-2021-38265 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) | |||
| CVE-2021-38269 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) in the Gogo Shell module | |||
| CVE-2021-38267 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) in edit blog entry page | |||
| CVE-2021-38268 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP has incorrect default permissions for site members | |||
| CVE-2021-41193 | unknown | — | — | 4y ago | Use of Externally-Controlled Format String in wire-avs | |||
| CVE-2021-44550 | unknown | — | — | 4y ago | Access Control vulnerability within CoreNLP | |||
| CVE-2021-46037 | unknown | — | — | 4y ago | Path traversal in MCMS | |||
| CVE-2021-46036 | unknown | — | — | 4y ago | File upload leading to RCE in MCMS | |||
| CVE-2021-46063 | unknown | — | — | 4y ago | Server Side Template Injection in MCMS | |||
| CVE-2021-46062 | unknown | — | — | 4y ago | MCMS Arbitrary File Deletion vulnerability | |||
| CVE-2021-44868 | unknown | — | — | 4y ago | SQL injection in MCMS | |||
| CVE-2021-3127 | unknown | — | — | 4y ago | NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled. | |||
| CVE-2021-3907 | unknown | — | — | 4y ago | OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, (ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa), which would then be written to… | |||
| CVE-2021-44521 | unknown | — | — | 4y ago | Apache Cassandra vulnerable to Code Injection due to unsafe configuration | |||
| CVE-2021-46363 | unknown | — | — | 4y ago | Arbitrary code execution in Magnolia CMS | |||
| CVE-2021-46366 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Magnolia CMS | |||
| CVE-2021-46365 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Magnolia CMS | |||
| CVE-2021-46361 | unknown | — | — | 4y ago | Arbitrary code execution in Magnolia CMS | |||
| CVE-2021-46364 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Magnolia CMS | |||
| CVE-2021-31684 | unknown | — | — | 4y ago | Out of bounds read in json-smart | |||
| CVE-2021-43841 | unknown | — | — | 4y ago | Cross-site Scripting by SVG upload in xwiki-platform | |||
| CVE-2021-32732 | unknown | — | — | 4y ago | Cross-Site Request Forgery in xwiki-platform | |||
| CVE-2021-41495 | unknown | — | — | 4y ago | Null Pointer Dereference vulnerability exists in numpy.sort in NumPy < and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attack… | |||
| CVE-2021-41496 | unknown | — | — | 4y ago | Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative val… | |||
| CVE-2021-36151 | unknown | — | — | 4y ago | Hadoop token in temp file visible to all users in Apache Gobblin | |||
| CVE-2021-36152 | unknown | — | — | 4y ago | Apache Gobblin trusts all certificates used for LDAP connections in Gobblin-as-a-Service | |||
| CVE-2021-41571 | unknown | — | — | 4y ago | Improper Input Validation in Apache Pulsar | |||
| CVE-2021-42767 | unknown | — | — | 4y ago | Neo4j Graph Database vulnerable to Path Traversal | |||
| CVE-2021-43859 | unknown | — | — | 4y ago | Denial of Service by injecting highly recursive collections or maps in XStream |