CVEs from 2021
Total
4,786
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-2163 | medium | — | 5.5 | 5y ago | RHSA-2022:6735: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2021-3115 | medium | — | 5.5 | 5y ago | RHSA-2021:1746: go-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-29949 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23993 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23991 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-29950 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23992 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-3347 | medium | — | 5.5 | 5y ago | An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1… | |||
| CVE-2021-20295 | medium | — | 5.5 | 5y ago | It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to i… | |||
| CVE-2021-28965 | medium | — | 5.5 | 5y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-3447 | medium | — | 5.5 | 5y ago | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controlle… | |||
| CVE-2021-21409 | medium | — | 5.5 | 5y ago | Possible request smuggling in HTTP/2 due missing validation of content-length | |||
| CVE-2021-25291 | medium | — | 5.5 | 5y ago | An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. | |||
| CVE-2021-25292 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25290 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25293 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25289 | medium | — | 5.5 | 5y ago | An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NO… | |||
| CVE-2021-27291 | medium | — | 5.5 | 5y ago | RHSA-2021:4151: python27:2.7 security update (Moderate) | |||
| CVE-2021-28834 | medium | — | 5.5 | 5y ago | Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. | |||
| CVE-2021-28957 | medium | — | 5.5 | 5y ago | RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate) | |||
| CVE-2021-27290 | medium | — | 5.5 | 5y ago | RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-27922 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-27921 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-27923 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-21295 | medium | — | 5.5 | 5y ago | Possible request smuggling in HTTP/2 due missing validation | |||
| CVE-2021-28305 | medium | — | 5.5 | 5y ago | An issue was discovered in the diesel crate before 1.4.6 for Rust. There is a use-after-free in the SQLite backend because the semantics of sqlite3_column_name are not followed. | |||
| CVE-2021-21306 | medium | — | 5.5 | 5y ago | Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. Thi… | |||
| CVE-2021-21290 | medium | — | 5.5 | 5y ago | Local Information Disclosure Vulnerability in Netty on Unix-Like systems | |||
| CVE-2021-21240 | medium | — | 5.5 | 5y ago | httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header… | |||
| CVE-2021-3715 | medium | — | 5.5 | 6y ago | A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free … | |||
| CVE-2021-2007 | medium | — | 5.5 | 6y ago | RHSA-2020:5503: mariadb-connector-c security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-47981 | medium | 5.4 | 5.4 | 22d ago | Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription par… | |||
| CVE-2021-47955 | medium | 5.4 | 5.4 | 22d ago | CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality… | |||
| CVE-2021-47948 | medium | 5.4 | 5.4 | 28d ago | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers… | |||
| CVE-2021-47870 | medium | 5.4 | 5.4 | 5mo ago | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypasse… | |||
| CVE-2021-47817 | medium | 5.4 | 5.4 | 5mo ago | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability in user profile parameters that authenticated attackers can chain with a file upload to achieve remote code execution. Attackers can expl… | |||
| CVE-2021-45479 | medium | 5.4 | 5.4 | 3y ago | Improper Neutralization of Input During Web Page Generation vulnerability in Yordam Information Technologies Library Automation System allows Stored XSS. This issue affects Library Automation System… | |||
| CVE-2021-47934 | medium | 5.3 | 5.3 | 22d ago | MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and … | |||
| CVE-2021-47946 | medium | 5.3 | 5.3 | 28d ago | OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiti… | |||
| CVE-2021-45475 | medium | 5.3 | 5.3 | 4y ago | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability. | |||
| CVE-2021-44795 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitat… | |||
| CVE-2021-44794 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploita… | |||
| CVE-2021-44792 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of thi… | |||
| CVE-2021-35556 | medium | 5.3 | 5.3 | 5y ago | RHSA-2022:0345: java-1.8.0-ibm security update (Important) | |||
| CVE-2021-3806 | medium | 5.3 | 5.3 | 5y ago | A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system. | |||
| CVE-2021-22764 | medium | 5.3 | 5.3 | 5y ago | A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could… | |||
| CVE-2021-22897 | medium | 5.3 | 5.3 | 5y ago | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The s… | |||
| CVE-2021-31944 | medium | 5.0 | 5.0 | 5y ago | 3D Viewer Information Disclosure Vulnerability | |||
| CVE-2021-36647 | medium | 4.7 | 4.7 | 3y ago | Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0, 2.27.0 or 2.16.11 allows attackers with access to pr… | |||
| CVE-2021-45476 | medium | 4.7 | 4.7 | 4y ago | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability. | |||
| CVE-2021-22701 | medium | 4.5 | 4.5 | 5y ago | A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that c… | |||
| CVE-2021-47958 | medium | 4.3 | 4.3 | 23d ago | CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG file… | |||
| CVE-2021-47953 | medium | 4.3 | 4.3 | 28d ago | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick a… | |||
| CVE-2021-4479 | medium | 4.0 | 4.0 | 4d ago | Dräger Atlan A350 software versions 1.00 through 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted non-Medibus-… | |||
| CVE-2021-46678 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field. | |||
| CVE-2021-46680 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the module form name field. | |||
| CVE-2021-46677 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the event filter name field. | |||
| CVE-2021-46676 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the transactional maps name field. | |||
| CVE-2021-46679 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via service elements. | |||
| CVE-2021-46681 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field. | |||
| CVE-2021-36368 | low | 3.7 | 3.7 | 4y ago | An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbose, and an attacker has silently modified the server to… | |||
| CVE-2021-21300 | low | — | 3.5 | — | Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as… | |||
| CVE-2021-25740 | low | 3.1 | 3.1 | 5y ago | A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack. | |||
| CVE-2021-1405 | low | — | 2.5 | — | A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service con… | |||
| CVE-2021-20205 | low | — | 2.5 | — | Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a denial of service vulnerability caused by a divide by zero when processing a crafted GIF image. | |||
| CVE-2021-26934 | low | — | 2.5 | — | An issue was discovered in the Linux kernel 4.18 through 5.10.16, as used by Xen. The backend allocation (aka be-alloc) mode of the drm_xen_front drivers was not meant to be a supported configuration… | |||
| CVE-2021-27375 | low | — | 2.5 | — | insufficient validation in traefik | |||
| CVE-2021-20217 | low | — | 2.5 | — | A flaw was found in Privoxy in versions before 3.0.31. An assertion failure triggered by a crafted CGI request may lead to denial of service. The highest threat from this vulnerability is to system a… | |||
| CVE-2021-30046 | low | — | 2.5 | — | denial of service in vigra | |||
| CVE-2021-32275 | low | — | 2.5 | — | An issue was discovered in faust through v2.30.5. A NULL pointer dereference exists in the function CosPrim::computeSigOutput() located in cosprim.hh. It allows an attacker to cause Denial of Service. | |||
| CVE-2021-34183 | low | — | 2.5 | — | denial of service in imagemagick | |||
| CVE-2021-30218 | low | — | 2.5 | — | denial of service in samurai | |||
| CVE-2021-39922 | low | — | 2.5 | — | Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-20216 | low | — | 2.5 | — | A flaw was found in Privoxy in versions before 3.0.31. A memory leak that occurs when decompression fails unexpectedly may lead to a denial of service. The highest threat from this vulnerability is t… | |||
| CVE-2021-3476 | low | — | 2.5 | — | A flaw was found in OpenEXR's B44 uncompression functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to OpenEXR could trigger shift overflows, potentially aff… | |||
| CVE-2021-3478 | low | — | 2.5 | — | There's a flaw in OpenEXR's scanline input file functionality in versions before 3.0.0-beta. An attacker able to submit a crafted file to be processed by OpenEXR could consume excessive system memory… | |||
| CVE-2021-37622 | low | — | 2.5 | — | Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was found in Exiv2 versions v0.27.4 and earlier. The infini… | |||
| CVE-2021-30219 | low | — | 2.5 | — | denial of service in samurai | |||
| CVE-2021-3974 | low | — | 2.5 | — | vim is vulnerable to Use After Free | |||
| CVE-2021-39924 | low | — | 2.5 | — | Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-39925 | low | — | 2.5 | — | Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-39928 | low | — | 2.5 | — | NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file | |||
| CVE-2021-28117 | low | — | 2.5 | — | libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover before 5.21.3 automatically creates links to potentially dangerous URLs (that are neither https:// nor http://) based on the content of… | |||
| CVE-2021-41865 | low | — | 2.5 | — | denial of service in nomad | |||
| CVE-2021-20296 | low | — | 2.5 | — | A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted input file supplied by an attacker, that is processed by the Dwa decompression functionality of OpenEXR's IlmImf library, could ca… | |||
| CVE-2021-3673 | low | — | 2.5 | — | A vulnerability was found in Radare2 in version 5.3.1. Improper input validation when reading a crafted LE binary can lead to resource exhaustion and DoS. | |||
| CVE-2021-32718 | low | — | 2.5 | — | cross-site scripting in rabbitmq | |||
| CVE-2021-3549 | low | — | 2.5 | — | An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a… | |||
| CVE-2021-38373 | low | — | 2.5 | — | In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is not honored (and cleartext messages are sent) unless "Server requires authentication" is checked. | |||
| CVE-2021-20177 | low | — | 2.5 | — | A flaw was found in the Linux kernel's implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) when inserting iptables rules could insert a rule which can pa… | |||
| CVE-2021-27815 | low | — | 2.5 | — | NULL Pointer Deference in the exif command line tool, when printing out XML formatted EXIF data, in exif v0.6.22 and earlier allows attackers to cause a Denial of Service (DoS) by uploading a malicio… | |||
| CVE-2021-28039 | low | — | 2.5 | — | An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of… | |||
| CVE-2021-3479 | low | — | 2.5 | — | There's a flaw in OpenEXR's Scanline API functionality in versions before 3.0.0-beta. An attacker who is able to submit a crafted file to be processed by OpenEXR could trigger excessive consumption o… | |||
| CVE-2021-1404 | low | — | 2.5 | — | A vulnerability in the PDF parsing module in Clam AntiVirus (ClamAV) Software versions 0.103.0 and 0.103.1 could allow an unauthenticated, remote attacker to cause a denial of service condition on an… | |||
| CVE-2021-3658 | low | — | 2.5 | — | bluetoothd from bluez incorrectly saves adapters' Discoverable status when a device is powered down, and restores it when powered up. If a device is powered down while discoverable, it will be discov… | |||
| CVE-2021-28089 | low | — | 2.5 | — | Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001. | |||
| CVE-2021-28090 | low | — | 2.5 | — | Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002. | |||
| CVE-2021-34334 | low | — | 2.5 | — | Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop is triggered when Exiv2 is used to read the metadata of a c… | |||
| CVE-2021-39220 | low | — | 2.5 | — | information disclosure in nextcloud-app-mail | |||
| CVE-2021-36690 | low | — | 2.5 | — | A segmentation fault can occur in the sqlite3.exe command-line component of SQLite 3.36.0 via the idxGetTableInfo function when there is a crafted SQL query. NOTE: the vendor disputes the relevance o… |