CVEs from 2021
Total
4,783
critical
critical 281
high
high 1,014
medium
medium 1,186
low
low 139
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.4%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-22696 | unknown | — | — | 5y ago | Authorization service vulnerable to DDos attacks in Apache CFX | |||
| CVE-2021-26715 | unknown | — | — | 5y ago | Server Side Request Forgery (SSRF) in org.mitre:openid-connect-server | |||
| CVE-2021-26544 | unknown | — | — | 5y ago | Apache Livy Cross-site scripting (XSS) in session names | |||
| CVE-2021-27906 | unknown | — | — | 5y ago | Uncontrolled Memory Allocation in Apache PDFBox | |||
| CVE-2021-21424 | unknown | — | — | 5y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de… | |||
| CVE-2021-23368 | unknown | — | — | 5y ago | The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. | |||
| CVE-2021-28657 | unknown | — | — | 5y ago | Infinite loop in Apache Tika | |||
| CVE-2021-26074 | unknown | — | — | 5y ago | Broken Authentication in Atlassian Connect Spring Boot | |||
| CVE-2021-22113 | unknown | — | — | 5y ago | Incorrect Authorization in Spring Cloud Netflix Zuul | |||
| CVE-2021-23339 | unknown | — | — | 5y ago | HTTP Request Smuggling in akka-http-core | |||
| CVE-2021-31411 | unknown | — | — | 5y ago | Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 | |||
| CVE-2021-31409 | unknown | — | — | 5y ago | Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8 | |||
| CVE-2021-21429 | unknown | — | — | 5y ago | Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin | |||
| CVE-2021-29442 | unknown | — | — | 5y ago | Authentication bypass for specific endpoint | |||
| CVE-2021-29441 | unknown | — | — | 5y ago | Authentication Bypass | |||
| CVE-2021-28168 | unknown | — | — | 5y ago | Local information disclosure via system temporary directory | |||
| CVE-2021-29459 | unknown | — | — | 5y ago | XSS Cross Site Scripting | |||
| CVE-2021-31408 | unknown | — | — | 5y ago | Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 | |||
| CVE-2021-29451 | unknown | — | — | 5y ago | Missing validation of JWT signature in `ManyDesigns/Portofino` | |||
| CVE-2021-31404 | unknown | — | — | 5y ago | Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 | |||
| CVE-2021-31403 | unknown | — | — | 5y ago | Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8 | |||
| CVE-2021-31406 | unknown | — | — | 5y ago | Timing side channel vulnerability in endpoint request handler in Vaadin 15-19 | |||
| CVE-2021-31405 | unknown | — | — | 5y ago | Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17 | |||
| CVE-2021-23369 | unknown | — | — | 5y ago | Remote code execution in handlebars when compiling templates | |||
| CVE-2021-28163 | unknown | — | — | 5y ago | Directory exposure in jetty | |||
| CVE-2021-21388 | unknown | — | — | 5y ago | systeminformation is an open source system and OS information library for node.js. A command injection vulnerability has been discovered in versions of systeminformation prior to 5.6.4. The issue has… | |||
| CVE-2021-28100 | unknown | — | — | 5y ago | Netflix/Priam: Temporary Directory Information Disclosure | |||
| CVE-2021-28099 | unknown | — | — | 5y ago | Insecure temporary file in Netflix OSS Hollow | |||
| CVE-2021-21380 | unknown | — | — | 5y ago | Rating Script Service expose XWiki to SQL injection | |||
| CVE-2021-21379 | unknown | — | — | 5y ago | It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro | |||
| CVE-2021-21351 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21350 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21349 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-21348 | unknown | — | — | 5y ago | XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos) | |||
| CVE-2021-21347 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21346 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21345 | unknown | — | — | 5y ago | XStream is vulnerable to a Remote Command Execution attack | |||
| CVE-2021-21344 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21343 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights | |||
| CVE-2021-21342 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-21341 | unknown | — | — | 5y ago | XStream can cause a Denial of Service. | |||
| CVE-2021-25329 | unknown | — | — | 5y ago | The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikel… | |||
| CVE-2021-22132 | unknown | — | — | 5y ago | Insufficiently Protected Credentials in Elasticsearch | |||
| CVE-2021-22134 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor | |||
| CVE-2021-21364 | unknown | — | — | 5y ago | Generated Code Contains Local Information Disclosure Vulnerability | |||
| CVE-2021-21363 | unknown | — | — | 5y ago | Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory | |||
| CVE-2021-21361 | unknown | — | — | 5y ago | Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin | |||
| CVE-2021-21331 | unknown | — | — | 5y ago | Local Information Disclosure Vulnerability | |||
| CVE-2021-21479 | unknown | — | — | 5y ago | Remote Code Execution in SCIMono | |||
| CVE-2021-21294 | unknown | — | — | 5y ago | Unbounded connection acceptance in http4s-blaze-server | |||
| CVE-2021-21293 | unknown | — | — | 5y ago | Unbounded connection acceptance leads to file handle exhaustion | |||
| CVE-2021-21028 | unknown | — | — | 5y ago | Reflected Cross-site Scripting in ACS Commons | |||
| CVE-2021-3137 | unknown | — | — | 5y ago | Cross Site Scripting (XSS) in XWiki | |||
| CVE-2021-20190 | unknown | — | — | 5y ago | A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidential… | |||
| CVE-2021-21234 | unknown | — | — | 6y ago | Directory Traversal in spring-boot-actuator-logview |