CVEs from 2021
Total
4,786
critical
critical 281
high
high 1,014
medium
medium 1,186
low
low 139
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-30665 | medium | — | 7.0 | 5y ago | A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 7.4.1, iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, macOS Big Sur 11.3.1. Processing mal… | |||
| CVE-2021-30663 | medium | — | 7.0 | 5y ago | An integer overflow was addressed with improved input validation. This issue is fixed in iOS 14.5.1 and iPadOS 14.5.1, tvOS 14.6, iOS 12.5.3, Safari 14.1.1, macOS Big Sur 11.3.1. Processing malicious… | |||
| CVE-2021-1870 | medium | — | 7.0 | 5y ago | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remo… | |||
| CVE-2021-1871 | medium | — | 7.0 | 5y ago | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, iOS 14.4 and iPadOS 14.4. A remo… | |||
| CVE-2021-30666 | medium | — | 7.0 | 5y ago | A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 12.5.3. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware… | |||
| CVE-2021-27562 | medium | 5.5 | 7.0 | 5y ago | In Arm Trusted Firmware M through 1.2, the NS world may trigger a system halt, an overwrite of secure data, or the printing out of secure data when calling secure functions under the NSPE handler mod… | |||
| CVE-2021-30858 | medium | — | 7.0 | 5y ago | A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbit… | |||
| CVE-2021-41617 | high | 7.0 | 7.0 | 5y ago | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs … | |||
| CVE-2021-21508 | medium | 6.7 | 6.7 | 16d ago | Dell VxRail versions before 7.0.200 contain a Plain-text Password Storage Vulnerability in VxRail Manager. A sys-admin user may exploit this vulnerability, leading to the disclosure of certain user c… | |||
| CVE-2021-44832 | medium | 6.6 | 6.6 | 5y ago | Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender wit… | |||
| CVE-2021-29447 | medium | — | 6.5 | — | Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress install… | |||
| CVE-2021-3490 | medium | — | 6.5 | — | The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kern… | |||
| CVE-2021-36438 | medium | 6.5 | 6.5 | 1mo ago | SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. | |||
| CVE-2021-47960 | medium | 6.5 | 6.5 | 2mo ago | A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local … | |||
| CVE-2021-45478 | medium | 6.5 | 6.5 | 3y ago | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: bef… | |||
| CVE-2021-45477 | medium | 6.5 | 6.5 | 3y ago | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: bef… | |||
| CVE-2021-1721 | medium | 6.5 | 6.5 | 4y ago | multiple issues in dotnet-sdk, dotnet-runtime | |||
| CVE-2021-42293 | medium | 6.5 | 6.5 | 5y ago | Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | |||
| CVE-2021-31807 | medium | — | 6.5 | 5y ago | RHSA-2021:4292: squid:4 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-31806 | medium | — | 6.5 | 5y ago | RHSA-2021:4292: squid:4 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-22791 | medium | 6.5 | 6.5 | 5y ago | A CWE-787: Out-of-bounds Write vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project f… | |||
| CVE-2021-22790 | medium | 6.5 | 6.5 | 5y ago | A CWE-125: Out-of-bounds Read vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the controller application with a specially crafted project fi… | |||
| CVE-2021-22789 | medium | 6.5 | 6.5 | 5y ago | A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability that could cause a Denial of Service on the Modicon PLC controller / simulator when updating the contr… | |||
| CVE-2021-21735 | medium | 6.5 | 6.5 | 5y ago | A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user inf… | |||
| CVE-2021-47957 | medium | 6.4 | 6.4 | 22d ago | Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Att… | |||
| CVE-2021-47968 | medium | 6.4 | 6.4 | 23d ago | Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description p… | |||
| CVE-2021-47962 | medium | 6.4 | 6.4 | 23d ago | Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers… | |||
| CVE-2021-47951 | medium | 6.4 | 6.4 | 28d ago | WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access C… | |||
| CVE-2021-47950 | medium | 6.4 | 6.4 | 28d ago | Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulati… | |||
| CVE-2021-47947 | medium | 6.4 | 6.4 | 28d ago | Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edi… | |||
| CVE-2021-47931 | medium | 6.4 | 6.4 | 28d ago | Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing e… | |||
| CVE-2021-47929 | medium | 6.4 | 6.4 | 28d ago | Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attac… | |||
| CVE-2021-47927 | medium | 6.4 | 6.4 | 28d ago | WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization … | |||
| CVE-2021-47926 | medium | 6.4 | 6.4 | 28d ago | Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name f… | |||
| CVE-2021-47925 | medium | 6.4 | 6.4 | 28d ago | CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file uplo… | |||
| CVE-2021-47924 | medium | 6.4 | 6.4 | 28d ago | Ultimate Product Catalogue 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit… | |||
| CVE-2021-47922 | medium | 6.4 | 6.4 | 28d ago | Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScrip… | |||
| CVE-2021-47910 | medium | 6.4 | 6.4 | 28d ago | AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon titl… | |||
| CVE-2021-47907 | medium | 6.4 | 6.4 | 28d ago | Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attac… | |||
| CVE-2021-47978 | medium | 6.2 | 6.2 | 22d ago | ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send req… | |||
| CVE-2021-47967 | medium | 6.1 | 6.1 | 23d ago | PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers … | |||
| CVE-2021-47836 | medium | 6.1 | 6.1 | 5mo ago | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with e… | |||
| CVE-2021-4195 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows XSS Targeting HTML Attributes. … | |||
| CVE-2021-44197 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Informa… | |||
| CVE-2021-44196 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Informa… | |||
| CVE-2021-40327 | medium | 5.9 | 5.9 | 5y ago | Trusted Firmware-M (TF-M) 1.4.0, when Profile Small is used, has incorrect access control. NSPE can access a secure key (held by the Crypto service) based solely on knowledge of its key ID. For examp… | |||
| CVE-2021-45105 | medium | 5.9 | 5.9 | 5y ago | Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thre… | |||
| CVE-2021-28511 | medium | 5.8 | 5.8 | 4y ago | This advisory documents the impact of an internally found vulnerability in Arista EOS for security ACL bypass. The impact of this vulnerability is that the security ACL drop rule might be bypassed if… | |||
| CVE-2021-41073 | medium | — | 5.5 | — | loop_rw_iter in fs/io_uring.c in the Linux kernel 5.10 through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by… | |||
| CVE-2021-38166 | medium | — | 5.5 | — | In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is an integer overflow and out-of-bounds write when many elements are placed in a single bucket. NOTE: exploitation might be impracti… | |||
| CVE-2021-36584 | medium | — | 5.5 | — | An issue was discovered in GPAC 1.0.1. There is a heap-based buffer overflow in the function gp_rtp_builder_do_tx3g function in ietf/rtp_pck_3gpp.c, as demonstrated by MP4Box. This can cause a denial… | |||
| CVE-2021-41054 | medium | — | 5.5 | — | tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options. | |||
| CVE-2021-3755 | medium | — | 5.5 | — | arbitrary command execution in rsync | |||
| CVE-2021-32078 | medium | — | 5.5 | — | An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access… | |||
| CVE-2021-21900 | medium | — | 5.5 | — | A code execution vulnerability exists in the dxfRW::processLType() functionality of LibreCad libdxfrw 2.2.0-rc2-19-ge02f3580. A specially-crafted .dxf file can lead to a use-after-free vulnerability.… | |||
| CVE-2021-44542 | medium | — | 5.5 | — | A memory leak vulnerability was found in Privoxy when handling errors. | |||
| CVE-2021-33896 | medium | — | 5.5 | — | Dino before 0.1.2 and 0.2.x before 0.2.1 allows Directory Traversal (only for creation of new files) via URI-encoded path separators. | |||
| CVE-2021-30587 | medium | — | 5.5 | — | Inappropriate implementation in Compositing in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2021-46142 | medium | — | 5.5 | — | An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. | |||
| CVE-2021-34548 | medium | — | 5.5 | — | An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the intended access control for ending a stream. | |||
| CVE-2021-34340 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-28421 | medium | — | 5.5 | — | arbitrary code execution in fluidsynth | |||
| CVE-2021-3195 | medium | — | 5.5 | — | multiple issues in bitcoin-daemon | |||
| CVE-2021-30020 | medium | — | 5.5 | — | In the function gf_hevc_read_pps_bs_internal function in media_tools/av_parsers.c in GPAC 1.0.1 there is a loop, which with crafted file, pps->num_tile_columns may be larger than sizeof(pps->column_w… | |||
| CVE-2021-29474 | medium | — | 5.5 | — | information disclosure in hedgedoc | |||
| CVE-2021-25321 | medium | — | 5.5 | — | A UNIX Symbolic Link (Symlink) Following vulnerability in arpwatch of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Factory, Leap 15.2 al… | |||
| CVE-2021-30015 | medium | — | 5.5 | — | There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL… | |||
| CVE-2021-31255 | medium | — | 5.5 | — | Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |||
| CVE-2021-20308 | medium | — | 5.5 | — | Integer overflow in the htmldoc 1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service that is similar to CVE-2017-9181. | |||
| CVE-2021-30586 | medium | — | 5.5 | — | Use after free in dialog box handling in Windows in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corrupti… | |||
| CVE-2021-44974 | medium | — | 5.5 | — | radareorg radare2 version 5.5.2 is vulnerable to NULL Pointer Dereference via libr/bin/p/bin_symbols.c binary symbol parser. | |||
| CVE-2021-37861 | medium | — | 5.5 | — | information disclosure in mattermost | |||
| CVE-2021-22568 | medium | — | 5.5 | — | multiple issues in dart | |||
| CVE-2021-39939 | medium | — | 5.5 | — | multiple issues in gitlab-runner | |||
| CVE-2021-4022 | medium | — | 5.5 | — | multiple issues in rizin | |||
| CVE-2021-43814 | medium | — | 5.5 | — | multiple issues in rizin | |||
| CVE-2021-3935 | medium | — | 5.5 | — | When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate ver… | |||
| CVE-2021-39947 | medium | — | 5.5 | — | multiple issues in gitlab-runner | |||
| CVE-2021-34341 | medium | — | 5.5 | — | multiple issues in ming | |||
| CVE-2021-39918 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-39916 | medium | — | 5.5 | — | multiple issues in gitlab | |||
| CVE-2021-20226 | medium | — | 5.5 | — | A use-after-free flaw was found in the io_uring in Linux kernel, where a local attacker with a user privilege could cause a denial of service problem on the system The issue results from the lack of … | |||
| CVE-2021-35057 | medium | — | 5.5 | — | multiple issues in hyperkitty | |||
| CVE-2021-22172 | medium | — | 5.5 | — | information disclosure in gitlab | |||
| CVE-2021-34693 | medium | — | 5.5 | — | net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. | |||
| CVE-2021-23977 | medium | — | 5.5 | — | Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories. Note: This issue is only affected… | |||
| CVE-2021-37969 | medium | — | 5.5 | — | Inappropriate implementation in Google Updater in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to perform local privilege escalation via a crafted file. | |||
| CVE-2021-30469 | medium | — | 5.5 | — | A flaw was found in PoDoFo 0.9.7. An use-after-free in PoDoFo::PdfVecObjects::Clear() function can cause a denial of service via a crafted PDF file. | |||
| CVE-2021-42373 | medium | — | 5.5 | — | A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given | |||
| CVE-2021-44143 | medium | — | 5.5 | — | A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that star… | |||
| CVE-2021-20268 | medium | — | 5.5 | — | An out-of-bounds access flaw was found in the Linux kernel's implementation of the eBPF code verifier in the way a user running the eBPF script calls dev_map_init_map or sock_map_alloc. This flaw all… | |||
| CVE-2021-1093 | medium | — | 5.5 | — | multiple issues in nvidia-utils | |||
| CVE-2021-3500 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences. | |||
| CVE-2021-42378 | medium | — | 5.5 | — | A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function | |||
| CVE-2021-42376 | medium | — | 5.5 | — | A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used fo… | |||
| CVE-2021-35940 | medium | — | 5.5 | — | An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x b… | |||
| CVE-2021-42694 | medium | — | 5.5 | — | content spoofing in rust | |||
| CVE-2021-41801 | medium | — | 5.5 | — | The ReplaceText extension through 1.41 for MediaWiki has Incorrect Access Control. When a user is blocked after submitting a replace job, the job is still run, even if it may be run at a later time (… | |||
| CVE-2021-23134 | medium | — | 5.5 | — | Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.4 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privi… | |||
| CVE-2021-34479 | medium | — | 5.5 | — | multiple issues in code |