CVEs from 2021
Total
4,783
critical
critical 281
high
high 1,014
medium
medium 1,186
low
low 139
% Critical
5.9%
% with KEV
4.5%
% with exploit
5.4%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-28678 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-28675 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25287 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-28676 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-3522 | medium | 5.5 | 5.5 | 5y ago | GStreamer before 1.18.4 may perform an out-of-bounds read when handling certain ID3v2 tags. | |||
| CVE-2021-33038 | medium | — | 5.5 | 5y ago | An issue was discovered in management/commands/hyperkitty_import.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration… | |||
| CVE-2021-20178 | medium | — | 5.5 | 5y ago | information disclosure in ansible | |||
| CVE-2021-20191 | medium | — | 5.5 | 5y ago | information disclosure in ansible | |||
| CVE-2021-33503 | medium | — | 5.5 | 5y ago | RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate) | |||
| CVE-2021-25735 | medium | — | 5.5 | 5y ago | A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Adm… | |||
| CVE-2021-21404 | medium | — | 5.5 | 5y ago | denial of service in syncthing-relaysrv, syncthing | |||
| CVE-2021-31204 | medium | — | 5.5 | 5y ago | privilege escalation in dotnet-sdk, dotnet-runtime | |||
| CVE-2021-3177 | medium | — | 5.5 | 5y ago | RHSA-2021:1879: python38:3.8 security update (Moderate) | |||
| CVE-2021-20225 | medium | — | 5.5 | 5y ago | RHSA-2021:2566: fwupd security update (Moderate) | |||
| CVE-2021-20233 | medium | — | 5.5 | 5y ago | RHSA-2021:2566: fwupd security update (Moderate) | |||
| CVE-2021-1817 | medium | — | 5.5 | 5y ago | A memory corruption issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web… | |||
| CVE-2021-1825 | medium | — | 5.5 | 5y ago | An input validation issue was addressed with improved input validation. This issue is fixed in iTunes 12.11.3 for Windows, iCloud for Windows 12.3, macOS Big Sur 11.3, Safari 14.1, watchOS 7.4, tvOS … | |||
| CVE-2021-1826 | medium | — | 5.5 | 5y ago | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted web content may lea… | |||
| CVE-2021-1820 | medium | — | 5.5 | 5y ago | A memory initialization issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.3, iOS 14.5 and iPadOS 14.5, watchOS 7.4, tvOS 14.5. Processing maliciously crafted … | |||
| CVE-2021-20297 | medium | — | 5.5 | 5y ago | RHSA-2021:1574: NetworkManager and libnma security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-0326 | medium | — | 5.5 | 5y ago | RHSA-2021:1686: wpa_supplicant security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-29510 | medium | — | 5.5 | 5y ago | Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `dat… | |||
| CVE-2021-29471 | medium | — | 5.5 | 5y ago | Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push … | |||
| CVE-2021-21430 | medium | — | 5.5 | 5y ago | Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code | |||
| CVE-2021-29262 | medium | — | 5.5 | 5y ago | Improper permission handling in Apache Solr | |||
| CVE-2021-27905 | medium | — | 5.5 | 5y ago | Server-Side Request Forgery in Apache Solr | |||
| CVE-2021-29943 | medium | — | 5.5 | 5y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2021-21419 | medium | — | 5.5 | 5y ago | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side… | |||
| CVE-2021-23362 | medium | — | 5.5 | 5y ago | RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-22902 | medium | — | 5.5 | 5y ago | The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of A… | |||
| CVE-2021-22885 | medium | — | 5.5 | 5y ago | A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | |||
| CVE-2021-22903 | medium | — | 5.5 | 5y ago | The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Author… | |||
| CVE-2021-22904 | medium | — | 5.5 | 5y ago | The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive … | |||
| CVE-2021-31799 | medium | — | 5.5 | 5y ago | RHSA-2022:0672: ruby:2.5 security update (Moderate) | |||
| CVE-2021-23840 | medium | — | 5.5 | 5y ago | RHSA-2021:4424: openssl security and bug fix update (Moderate) | |||
| CVE-2021-23841 | medium | — | 5.5 | 5y ago | RHSA-2021:4424: openssl security and bug fix update (Moderate) | |||
| CVE-2021-29472 | medium | — | 5.5 | 5y ago | Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow… | |||
| CVE-2021-29425 | medium | — | 5.5 | 5y ago | Path Traversal and Improper Input Validation in Apache Commons IO | |||
| CVE-2021-20270 | medium | — | 5.5 | 5y ago | RHSA-2021:4151: python27:2.7 security update (Moderate) | |||
| CVE-2021-29421 | medium | — | 5.5 | 5y ago | models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. | |||
| CVE-2021-2163 | medium | — | 5.5 | 5y ago | insufficient validation in jre11-openjdk-headless, jdk11-openjdk | |||
| CVE-2021-3115 | medium | — | 5.5 | 5y ago | RHSA-2021:1746: go-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-29949 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-29950 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23993 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23991 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23992 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-3347 | medium | — | 5.5 | 5y ago | An issue was discovered in the Linux kernel through 5.10.11. PI futexes have a kernel stack use-after-free during fault handling, allowing local users to execute code in the kernel, aka CID-34b1a1ce1… | |||
| CVE-2021-20295 | medium | — | 5.5 | 5y ago | It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to i… | |||
| CVE-2021-28965 | medium | — | 5.5 | 5y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-3447 | medium | — | 5.5 | 5y ago | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controlle… | |||
| CVE-2021-21409 | medium | — | 5.5 | 5y ago | Possible request smuggling in HTTP/2 due missing validation of content-length | |||
| CVE-2021-25291 | medium | — | 5.5 | 5y ago | An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. | |||
| CVE-2021-25292 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25290 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25293 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25289 | medium | — | 5.5 | 5y ago | An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NO… | |||
| CVE-2021-27291 | medium | — | 5.5 | 5y ago | RHSA-2021:4151: python27:2.7 security update (Moderate) | |||
| CVE-2021-28834 | medium | — | 5.5 | 5y ago | Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. | |||
| CVE-2021-28957 | medium | — | 5.5 | 5y ago | RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate) | |||
| CVE-2021-27290 | medium | — | 5.5 | 5y ago | RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-27922 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-27921 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-27923 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-21295 | medium | — | 5.5 | 5y ago | Possible request smuggling in HTTP/2 due missing validation | |||
| CVE-2021-28305 | medium | — | 5.5 | 5y ago | An issue was discovered in the diesel crate before 1.4.6 for Rust. There is a use-after-free in the SQLite backend because the semantics of sqlite3_column_name are not followed. | |||
| CVE-2021-21306 | medium | — | 5.5 | 5y ago | Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. Thi… | |||
| CVE-2021-21290 | medium | — | 5.5 | 5y ago | Local Information Disclosure Vulnerability in Netty on Unix-Like systems | |||
| CVE-2021-21240 | medium | — | 5.5 | 5y ago | httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header… | |||
| CVE-2021-3715 | medium | — | 5.5 | 6y ago | A flaw was found in the "Routing decision" classifier in the Linux kernel's Traffic Control networking subsystem in the way it handled changing of classification filters, leading to a use-after-free … | |||
| CVE-2021-2007 | medium | — | 5.5 | 6y ago | RHSA-2020:5503: mariadb-connector-c security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-47981 | medium | 5.4 | 5.4 | 22d ago | Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription par… | |||
| CVE-2021-47955 | medium | 5.4 | 5.4 | 22d ago | CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality… | |||
| CVE-2021-47948 | medium | 5.4 | 5.4 | 28d ago | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers… | |||
| CVE-2021-47870 | medium | 5.4 | 5.4 | 5mo ago | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypasse… | |||
| CVE-2021-47817 | medium | 5.4 | 5.4 | 5mo ago | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability in user profile parameters that authenticated attackers can chain with a file upload to achieve remote code execution. Attackers can expl… | |||
| CVE-2021-45479 | medium | 5.4 | 5.4 | 3y ago | Improper Neutralization of Input During Web Page Generation vulnerability in Yordam Information Technologies Library Automation System allows Stored XSS. This issue affects Library Automation System… | |||
| CVE-2021-47934 | medium | 5.3 | 5.3 | 22d ago | MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and … | |||
| CVE-2021-47946 | medium | 5.3 | 5.3 | 28d ago | OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiti… | |||
| CVE-2021-45475 | medium | 5.3 | 5.3 | 4y ago | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability. | |||
| CVE-2021-44795 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitat… | |||
| CVE-2021-44794 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploita… | |||
| CVE-2021-44792 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of thi… | |||
| CVE-2021-35556 | medium | 5.3 | 5.3 | 5y ago | multiple issues in jdk-openjdk, jre-openjdk-headless | |||
| CVE-2021-3806 | medium | 5.3 | 5.3 | 5y ago | A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system. | |||
| CVE-2021-22764 | medium | 5.3 | 5.3 | 5y ago | A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could… | |||
| CVE-2021-22897 | medium | 5.3 | 5.3 | 5y ago | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The s… | |||
| CVE-2021-31944 | medium | 5.0 | 5.0 | 5y ago | 3D Viewer Information Disclosure Vulnerability | |||
| CVE-2021-36647 | medium | 4.7 | 4.7 | 3y ago | Use of a Broken or Risky Cryptographic Algorithm in the function mbedtls_mpi_exp_mod() in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0, 2.27.0 or 2.16.11 allows attackers with access to pr… | |||
| CVE-2021-45476 | medium | 4.7 | 4.7 | 4y ago | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability. | |||
| CVE-2021-22701 | medium | 4.5 | 4.5 | 5y ago | A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that c… | |||
| CVE-2021-47958 | medium | 4.3 | 4.3 | 23d ago | CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG file… | |||
| CVE-2021-47953 | medium | 4.3 | 4.3 | 28d ago | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick a… | |||
| CVE-2021-4479 | medium | 4.0 | 4.0 | 5d ago | Dräger Atlan A350 software versions 1.00 through 1.01 contains an improper input handling vulnerability that allows attackers to cause a denial of service by sending specifically crafted non-Medibus-… | |||
| CVE-2021-46678 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the service name field. | |||
| CVE-2021-46680 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the module form name field. | |||
| CVE-2021-46677 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the event filter name field. | |||
| CVE-2021-46676 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via the transactional maps name field. | |||
| CVE-2021-46679 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via service elements. | |||
| CVE-2021-46681 | medium | 4.0 | 4.0 | 4y ago | A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via module massive operation name field. |