CVEs from 2021
Total
4,784
critical
critical 281
high
high 1,014
medium
medium 1,186
low
low 139
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.4%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-20028 | unknown | — | 1.5 | 4y ago | SonicWall Secure Remote Access (SRA) products contain an improper neutralization of a SQL Command leading to SQL injection. | |||
| CVE-2021-38646 | unknown | — | 1.5 | 4y ago | Microsoft Office Access Connectivity Engine contains an unspecified vulnerability which can allow for remote code execution. | |||
| CVE-2021-22941 | unknown | — | 1.5 | 4y ago | Improper Access Control in Citrix ShareFile storage zones controller may allow an unauthenticated attacker to remotely compromise the storage zones controller. | |||
| CVE-2021-21973 | unknown | — | 1.5 | 4y ago | VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation of URLs in a vCenter Server plugin. This allows for information disclosure. | |||
| CVE-2021-41379 | unknown | — | 1.5 | 4y ago | Microsoft Windows Installer contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-20038 | unknown | — | 1.5 | 4y ago | SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution. | |||
| CVE-2021-35247 | unknown | — | 1.5 | 4y ago | SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization. | |||
| CVE-2021-40870 | unknown | — | 1.5 | 4y ago | Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal. | |||
| CVE-2021-33766 | unknown | — | 1.5 | 4y ago | Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target. | |||
| CVE-2021-22991 | unknown | — | 1.5 | 4y ago | The Traffic Management Microkernel of BIG-IP ASM Risk Engine has a buffer overflow vulnerability, leading to a bypassing of URL-based access controls. | |||
| CVE-2021-27860 | unknown | — | 1.5 | 5y ago | A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. | |||
| CVE-2021-22017 | unknown | — | 1.5 | 5y ago | Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. | |||
| CVE-2021-43890 | unknown | — | 1.5 | 5y ago | Microsoft Windows AppX Installer contains a spoofing vulnerability which has a high impacts to confidentiality, integrity, and availability. | |||
| CVE-2021-44168 | unknown | — | 1.5 | 5y ago | Fortinet FortiOS "execute restore src-vis" downloads code without integrity checking, allowing an attacker to arbitrarily download files. | |||
| CVE-2021-44515 | unknown | — | 1.5 | 5y ago | Zoho Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server. | |||
| CVE-2021-35394 | unknown | — | 1.5 | 5y ago | RealTek Jungle SDK contains multiple memory corruption vulnerabilities which can allow an attacker to perform remote code execution. | |||
| CVE-2021-37415 | unknown | — | 1.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication | |||
| CVE-2021-42292 | unknown | — | 1.5 | 5y ago | A security feature bypass vulnerability in Microsoft Excel would allow a local user to perform arbitrary code execution. | |||
| CVE-2021-36741 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security contain an improper input validation vulnerability that allows a remote attacker to upload files. | |||
| CVE-2021-35211 | unknown | — | 1.5 | 5y ago | SolarWinds Serv-U contains an unspecified memory escape vulnerability which can allow for remote code execution. | |||
| CVE-2021-27104 | unknown | — | 1.5 | 5y ago | Accellion FTA contains an OS command injection vulnerability exploited via a crafted POST request to various admin endpoints. | |||
| CVE-2021-20090 | unknown | — | 1.5 | 5y ago | Arcadyan Buffalo firmware contains a path traversal vulnerability that could allow unauthenticated, remote attackers to bypass authentication and access sensitive information. This vulnerability affe… | |||
| CVE-2021-31955 | unknown | — | 1.5 | 5y ago | Microsoft Windows Kernel contains an unspecified vulnerability that allows for information disclosure. Successful exploitation allows attackers to read the contents of kernel memory from a user-mode … | |||
| CVE-2021-1647 | unknown | — | 1.5 | 5y ago | Microsoft Defender contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-31979 | unknown | — | 1.5 | 5y ago | Microsoft Windows kernel contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-36948 | unknown | — | 1.5 | 5y ago | Microsoft Windows Update Medic Service contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-38645 | unknown | — | 1.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-20016 | unknown | — | 1.5 | 5y ago | SonicWall SSLVPN SMA100 contains a SQL injection vulnerability that allows remote exploitation for credential access by an unauthenticated attacker. | |||
| CVE-2021-31755 | unknown | — | 1.5 | 5y ago | Tenda AC11 devices contain a stack buffer overflow vulnerability in /goform/setmac which allows attackers to execute code via a crafted post request. | |||
| CVE-2021-21017 | unknown | — | 1.5 | 5y ago | Acrobat Acrobat and Reader contain a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user. | |||
| CVE-2021-33739 | unknown | — | 1.5 | 5y ago | Microsoft Desktop Window Manager (DWM) Core Library contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-33742 | unknown | — | 1.5 | 5y ago | Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-34448 | unknown | — | 1.5 | 5y ago | Microsoft Windows Scripting Engine contains an unspecified vulnerability that allows for memory corruption. | |||
| CVE-2021-30860 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, and watchOS CoreGraphics contain an integer overflow vulnerability which may allow code execution when processing a maliciously crafted PDF. The vulnerability is also known … | |||
| CVE-2021-22893 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure contains a use-after-free vulnerability that allow a remote, unauthenticated attacker to execute code via license services. | |||
| CVE-2021-22899 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure contains a command injection vulnerability that allows remote authenticated users to perform remote code execution via Windows File Resource Profiles. | |||
| CVE-2021-26858 | unknown | — | 1.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-31199 | unknown | — | 1.5 | 5y ago | Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-27102 | unknown | — | 1.5 | 5y ago | Accellion FTA contains an OS command injection vulnerability exploited via a local web service call. | |||
| CVE-2021-31201 | unknown | — | 1.5 | 5y ago | Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-22506 | unknown | — | 1.5 | 5y ago | Micro Focus Access Manager contains an information leakage vulnerability resulting from a SAML service provider redirection issue when the Assertion Consumer Service URL is used. | |||
| CVE-2021-27059 | unknown | — | 1.5 | 5y ago | Microsoft Office contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-26857 | unknown | — | 1.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-35395 | unknown | — | 1.5 | 5y ago | Realtek AP-Router SDK HTTP web server boa contains a buffer overflow vulnerability due to unsafe copies of some overly long parameters submitted in the form that lead to denial-of-service (DoS). | |||
| CVE-2021-20021 | unknown | — | 1.5 | 5y ago | SonicWall Email Security contains an improper privilege management vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This… | |||
| CVE-2021-30116 | unknown | — | 1.5 | 5y ago | Kaseya Virtual System/Server Administrator (VSA) contains an information disclosure vulnerability allowing an attacker to obtain the sessionId that can be used to execute further attacks against the … | |||
| CVE-2021-23874 | unknown | — | 1.5 | 5y ago | McAfee Total Protection (MTP) contains an improper privilege management vulnerability that allows a local user to gain elevated privileges and execute code, bypassing MTP self-defense. | |||
| CVE-2021-30713 | unknown | — | 1.5 | 5y ago | Apple macOS Transparency, Consent, and Control (TCC) contains an unspecified permissions issue which may allow a malicious application to bypass privacy preferences. | |||
| CVE-2021-31956 | unknown | — | 1.5 | 5y ago | Microsoft Windows New Technology File System (NTFS) contains an unspecified vulnerability that allows attackers to escalate privileges via a specially crafted application. | |||
| CVE-2021-30869 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, and macOS contain a type confusion vulnerability in the XNU which may allow a malicious application to execute code with kernel privileges. | |||
| CVE-2021-26411 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains an unspecified vulnerability that allows for memory corruption. | |||
| CVE-2021-28310 | unknown | — | 1.5 | 5y ago | Microsoft Windows Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-1906 | unknown | — | 1.5 | 5y ago | Multiple Qualcomm chipsets contain a detection of error condition without action vulnerability when improper handling of address deregistration on failure can lead to new GPU address allocation failu… | |||
| CVE-2021-1782 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOs, macOS, watchOS, and tvOS contain a race condition vulnerability that may allow a malicious application to elevate privileges. | |||
| CVE-2021-33771 | unknown | — | 1.5 | 5y ago | Microsoft Windows kernel contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-20022 | unknown | — | 1.5 | 5y ago | SonicWall Email Security contains an unrestricted upload of file with dangerous type vulnerability that allows a post-authenticated attacker to upload a file to the remote host. This vulnerability ha… | |||
| CVE-2021-27103 | unknown | — | 1.5 | 5y ago | Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html. | |||
| CVE-2021-38649 | unknown | — | 1.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation. | |||
| CVE-2021-22900 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure contains an unrestricted file upload vulnerability that allows an authenticated administrator to perform a file write via a maliciously crafted archive upload in the admin… | |||
| CVE-2021-28664 | unknown | — | 1.5 | 5y ago | Arm Mali Graphics Processing Unit (GPU) kernel driver contains an unspecified vulnerability that may allow a non-privileged user to gain write access to read-only memory, gain root privilege, corrupt… | |||
| CVE-2021-27101 | unknown | — | 1.5 | 5y ago | Accellion FTA contains a SQL injection vulnerability exploited via a crafted host header in a request to document_root.html. | |||
| CVE-2021-27561 | unknown | — | 1.5 | 5y ago | Yealink Device Management contains a server-side request forgery (SSRF) vulnerability that allows for unauthenticated remote code execution. | |||
| CVE-2021-28663 | unknown | — | 1.5 | 5y ago | Arm Mali Graphics Processing Unit (GPU) kernel driver contains a use-after-free vulnerability that may allow a non-privileged user to make improper operations on GPU memory to gain root privilege, an… | |||
| CVE-2021-1905 | unknown | — | 1.5 | 5y ago | Multiple Qualcomm Chipsets contain a use after free vulnerability due to improper handling of memory mapping of multiple processes simultaneously. | |||
| CVE-2021-1879 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, and watchOS WebKit contain an unspecified vulnerability that allows for universal cross-site scripting (XSS) when processing maliciously crafted web content. This vulnerability cou… | |||
| CVE-2021-28550 | unknown | — | 1.5 | 5y ago | Adobe Acrobat and Reader contains a use-after-free vulnerability that could allow an unauthenticated attacker to achieve code execution in the context of the current user. | |||
| CVE-2021-36742 | unknown | — | 1.5 | 5y ago | Trend Micro Apex One, Apex One as a Service, and Worry-Free Business Security contain an improper input validation vulnerability that allows for privilege escalation. | |||
| CVE-2021-20023 | unknown | — | 1.5 | 5y ago | SonicWall Email Security contains a path traversal vulnerability that allows a post-authenticated attacker to read files on the remote host. This vulnerability has known usage in a SonicWall Email Se… | |||
| CVE-2021-27085 | unknown | — | 1.5 | 5y ago | Microsoft Internet Explorer contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-22894 | unknown | — | 1.5 | 5y ago | Ivanti Pulse Connect Secure Collaboration Suite contains a buffer overflow vulnerabilities that allows a remote authenticated users to execute code as the root user via maliciously crafted meeting ro… | |||
| CVE-2021-30807 | unknown | — | 1.5 | 5y ago | Apple iOS, iPadOS, macOS, and watchOS IOMobileFrameBuffer contain a memory corruption vulnerability which may allow an application to execute code with kernel privileges. | |||
| CVE-2021-36955 | unknown | — | 1.5 | 5y ago | Microsoft Windows Common Log File System (CLFS) driver contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-32648 | unknown | — | 1.5 | 5y ago | In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. | |||
| CVE-2021-21315 | unknown | — | 1.5 | 5y ago | The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. In systeminformation b… | |||
| CVE-2021-21311 | unknown | — | 1.5 | 5y ago | Adminer contains a server-side request forgery vulnerability that, when exploited, allows a remote attacker to obtain potentially sensitive information. | |||
| CVE-2021-43116 | unknown | — | 1.0 | 4y ago | Use of Hard-coded Credentials in Nacos | |||
| CVE-2021-42697 | unknown | — | 1.0 | 4y ago | Uncontrolled Recursion in Akka HTTP | |||
| CVE-2021-22145 | unknown | — | 1.0 | 4y ago | Generation of Error Message Containing Sensitive Information in Elasticsearch | |||
| CVE-2021-38294 | unknown | — | 1.0 | 5y ago | Command injection leading to Remote Code Execution in Apache Storm | |||
| CVE-2021-34429 | unknown | — | 1.0 | 5y ago | Encoded URIs can access WEB-INF directory in Eclipse Jetty | |||
| CVE-2021-25646 | unknown | — | 1.0 | 5y ago | Code injection in Apache Druid | |||
| CVE-2021-27850 | unknown | — | 1.0 | 5y ago | Remote code execution in Apache Tapestry | |||
| CVE-2021-33561 | unknown | — | 1.0 | 5y ago | Cross-site scripting in Shopizer | |||
| CVE-2021-33562 | unknown | — | 1.0 | 5y ago | Cross-site scripting in Shopizer | |||
| CVE-2021-28164 | unknown | — | 1.0 | 5y ago | Authorization Before Parsing and Canonicalization in jetty | |||
| CVE-2021-47259 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix use-after-free in nfs4_init_client() KASAN reports a use-after-free when attempting to mount two different exports throu… | |||
| CVE-2021-47016 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: m68k: mvme147,mvme16x: Don't wipe PCC timer config bits Don't clear the timer 1 configuration bits when clearing the interrupt fl… | |||
| CVE-2021-47041 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix incorrect locking in state_change sk callback We are not changing anything in the TCP connection state so we shoul… | |||
| CVE-2021-20181 | unknown | — | — | — | A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating the… | |||
| CVE-2021-20203 | unknown | — | — | — | An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameter… | |||
| CVE-2021-47174 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version Arturo reported this backtrace: [709732… | |||
| CVE-2021-4079 | unknown | — | — | — | Out of bounds write in WebRTC in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via crafted WebRTC packets. | |||
| CVE-2021-44686 | unknown | — | — | — | calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service) in html_preprocess_rules in ebooks/conversion/preprocess.py. | |||
| CVE-2021-29958 | unknown | — | — | — | When a download was initiated, the client did not check whether it was in normal or private browsing mode, which led to private mode cookies being shared in normal browsing mode. This vulnerability a… | |||
| CVE-2021-47584 | unknown | — | — | — | In the Linux kernel, the following vulnerability has been resolved: iocost: Fix divide-by-zero on donation from low hweight cgroup The donation calculation logic assumes that the donor has non-zero… | |||
| CVE-2021-0707 | unknown | — | — | — | In dma_buf_release of dma-buf.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User i… | |||
| CVE-2021-0935 | unknown | — | — | — | In ip6_xmit of ip6_output.c, there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interactio… | |||
| CVE-2021-0938 | unknown | — | — | — | In memzero_explicit of compiler-clang.h, there is a possible bypass of defense in depth due to uninitialized data. This could lead to local information disclosure with no additional execution privile… | |||
| CVE-2021-0961 | unknown | — | — | — | In quota_proc_write of xt_quota2.c, there is a possible way to read kernel memory due to uninitialized data. This could lead to local information disclosure with System execution privileges needed. U… | |||
| CVE-2021-3411 | unknown | — | — | — | A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerabili… |