CVEs from 2021
Total
4,788
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-29514 | critical | — | 9.5 | 5y ago | TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/… | |||
| CVE-2021-29513 | critical | — | 9.5 | 5y ago | TensorFlow is an end-to-end open source platform for machine learning. Calling TF operations with tensors of non-numeric types when the operations expect numeric tensors result in null pointer derefe… | |||
| CVE-2021-29512 | critical | — | 9.5 | 5y ago | TensorFlow is an end-to-end open source platform for machine learning. If the `splits` argument of `RaggedBincount` does not specify a valid `SparseTensor`(https://www.tensorflow.org/api_docs/python/… | |||
| CVE-2021-21239 | critical | — | 9.5 | 5y ago | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. Users of pysaml2 that use the default C… | |||
| CVE-2021-21238 | critical | — | 9.5 | 5y ago | PySAML2 is a pure python implementation of SAML Version 2 Standard. PySAML2 before 6.5.0 has an improper verification of cryptographic signature vulnerability. All users of pysaml2 that need to valid… | |||
| CVE-2021-22779 | critical | 9.1 | 9.1 | 5y ago | Authentication Bypass by Spoofing vulnerability exists in EcoStruxure Control Expert (all versions prior to V15.0 SP1, including all versions of Unity Pro), EcoStruxure Control Expert V15.0 SP1, EcoS… | |||
| CVE-2021-32305 | high | — | 9.0 | — | arbitrary command execution in websvn | |||
| CVE-2021-44790 | high | — | 9.0 | 4y ago | A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerab… | |||
| CVE-2021-23017 | high | — | 9.0 | 5y ago | RHSA-2022:0323: nginx:1.20 security update (Important) | |||
| CVE-2021-27928 | high | — | 9.0 | 5y ago | RHSA-2021:1242: mariadb:10.3 and mariadb-devel:10.3 security update (Important) | |||
| CVE-2021-47979 | high | 8.8 | 8.8 | 21d ago | WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers … | |||
| CVE-2021-47976 | high | 8.8 | 8.8 | 21d ago | TextPattern CMS 4.9.0-dev contains a remote code execution vulnerability that allows authenticated attackers to upload arbitrary PHP files by exploiting the plugin upload functionality. Attackers can… | |||
| CVE-2021-47964 | high | 8.8 | 8.8 | 22d ago | Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager… | |||
| CVE-2021-47949 | high | 8.8 | 8.8 | 27d ago | CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks through the filemanager con… | |||
| CVE-2021-47943 | high | 8.8 | 8.8 | 27d ago | TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through the file upload functio… | |||
| CVE-2021-47939 | high | 8.8 | 8.8 | 27d ago | Evolution CMS 3.1.6 contains a remote code execution vulnerability that allows authenticated users with module creation permissions to execute arbitrary system commands by injecting PHP code into mod… | |||
| CVE-2021-47938 | high | 8.8 | 8.8 | 27d ago | ImpressCMS 1.4.2 contains a remote code execution vulnerability in the autotasks administrative interface that allows authenticated attackers to execute arbitrary PHP code by injecting malicious code… | |||
| CVE-2021-47937 | high | 8.8 | 8.8 | 27d ago | e107 CMS 2.3.0 contains a remote code execution vulnerability that allows authenticated users with theme installation permissions to execute arbitrary commands by uploading malicious theme files. Att… | |||
| CVE-2021-47935 | high | 8.8 | 8.8 | 27d ago | Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log e… | |||
| CVE-2021-3855 | high | 8.8 | 8.8 | 3y ago | Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Comman… | |||
| CVE-2021-25667 | high | 8.8 | 8.8 | 5y ago | A vulnerability has been identified in RUGGEDCOM RM1224 (All versions >= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4), SCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE … | |||
| CVE-2021-21974 | high | 8.8 | 8.8 | 5y ago | OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same… | |||
| CVE-2021-44793 | high | 8.6 | 8.6 | 4y ago | Single Connect does not perform an authorization check when using the sc-reports-ui" module. A remote attacker could exploit this vulnerability to access the device configuration page and export the … | |||
| CVE-2021-33012 | high | 8.6 | 8.6 | 5y ago | Rockwell Automation MicroLogix 1100, all versions, allows a remote, unauthenticated attacker sending specially crafted commands to cause the PLC to fault when the controller is switched to RUN mode, … | |||
| CVE-2021-22659 | high | 8.6 | 8.6 | 5y ago | Rockwell Automation MicroLogix 1400 Version 21.6 and below may allow a remote unauthenticated attacker to send a specially crafted Modbus packet allowing the attacker to retrieve or modify random val… | |||
| CVE-2021-4481 | high | 8.2 | 8.2 | 4d ago | Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with… | |||
| CVE-2021-4480 | high | 8.2 | 8.2 | 4d ago | Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with… | |||
| CVE-2021-4478 | high | 8.2 | 8.2 | 4d ago | Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. A crafted .gdt file can trigger a buffer overflow d… | |||
| CVE-2021-47956 | high | 8.2 | 8.2 | 21d ago | EgavilanMedia PHPCRUD 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the firstname parameter. Attackers… | |||
| CVE-2021-47954 | high | 8.2 | 8.2 | 21d ago | LayerBB 1.1.4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the search_query parameter. Attackers can send… | |||
| CVE-2021-47966 | high | 8.2 | 8.2 | 22d ago | PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database conte… | |||
| CVE-2021-47941 | high | 8.2 | 8.2 | 27d ago | WordPress Plugin Survey & Poll 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap co… | |||
| CVE-2021-47930 | high | 8.2 | 8.2 | 27d ago | Balbooa Joomla Forms Builder 2.0.6 contains an unauthenticated SQL injection vulnerability in the form submission handler that allows remote attackers to execute arbitrary SQL queries. Attackers can … | |||
| CVE-2021-47928 | high | 8.2 | 8.2 | 27d ago | Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id paramete… | |||
| CVE-2021-47961 | high | 8.1 | 8.1 | 2mo ago | A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead … | |||
| CVE-2021-26701 | high | 8.1 | 8.1 | 5y ago | RHSA-2021:0793: .NET Core on RHEL 8 security and bugfix update (Important) | |||
| CVE-2021-2409 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.24. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-39899 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-39944 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-30540 | high | — | 8.0 | — | Incorrect security UI in payments in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2021-21215 | high | — | 8.0 | — | Inappropriate implementation in Autofill in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to spoof security UI via a crafted HTML page. | |||
| CVE-2021-21199 | high | — | 8.0 | — | Use after free in Aura in Google Chrome on Linux prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML pa… | |||
| CVE-2021-21197 | high | — | 8.0 | — | Heap buffer overflow in TabStrip in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-37978 | high | — | 8.0 | — | Heap buffer overflow in Blink in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30621 | high | — | 8.0 | — | Chromium: CVE-2021-30621 UI Spoofing in Autofill | |||
| CVE-2021-1051 | high | — | 8.0 | — | multiple issues in nvidia-utils | |||
| CVE-2021-21180 | high | — | 8.0 | — | Use after free in tab search in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-22168 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-22171 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-37970 | high | — | 8.0 | — | Use after free in File System API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-37968 | high | — | 8.0 | — | Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-37963 | high | — | 8.0 | — | Side-channel information leakage in DevTools in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to bypass site isolation via a crafted HTML page. | |||
| CVE-2021-30630 | high | — | 8.0 | — | Inappropriate implementation in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-30627 | high | — | 8.0 | — | Type confusion in Blink layout in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30626 | high | — | 8.0 | — | Out of bounds memory access in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30562 | high | — | 8.0 | — | Use after free in WebSerial in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-2285 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows unauth… | |||
| CVE-2021-30561 | high | — | 8.0 | — | Type Confusion in V8 in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30556 | high | — | 8.0 | — | Use after free in WebAudio in Google Chrome prior to 91.0.4472.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21213 | high | — | 8.0 | — | Use after free in WebMIDI in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-2266 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-21209 | high | — | 8.0 | — | Inappropriate implementation in storage in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-21196 | high | — | 8.0 | — | Heap buffer overflow in TabStrip in Google Chrome on Windows prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21190 | high | — | 8.0 | — | Uninitialized data in PDFium in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | |||
| CVE-2021-21181 | high | — | 8.0 | — | Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | |||
| CVE-2021-21182 | high | — | 8.0 | — | Insufficient policy enforcement in navigations in Google Chrome prior to 89.0.4389.72 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafte… | |||
| CVE-2021-22241 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-21178 | high | — | 8.0 | — | Inappropriate implementation in Compositing in Google Chrome on Linux and Windows prior to 89.0.4389.72 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML pag… | |||
| CVE-2021-30625 | high | — | 8.0 | — | Use after free in Selection API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who convinced the user the visit a malicious website to potentially exploit heap corruption via a craf… | |||
| CVE-2021-21221 | high | — | 8.0 | — | Insufficient validation of untrusted input in Mojo in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HT… | |||
| CVE-2021-32765 | high | — | 8.0 | — | Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` proto… | |||
| CVE-2021-22215 | high | — | 8.0 | — | information disclosure in gitlab | |||
| CVE-2021-25746 | high | — | 8.0 | — | information disclosure in kubectl-ingress-nginx | |||
| CVE-2021-4066 | high | — | 8.0 | — | Integer underflow in ANGLE in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-36952 | high | — | 8.0 | — | multiple issues in code | |||
| CVE-2021-37958 | high | — | 8.0 | — | Inappropriate implementation in Navigation in Google Chrome on Windows prior to 94.0.4606.54 allowed a remote attacker to inject scripts or HTML into a privileged page via a crafted HTML page. | |||
| CVE-2021-30620 | high | — | 8.0 | — | Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink | |||
| CVE-2021-30617 | high | — | 8.0 | — | Chromium: CVE-2021-30617 Policy bypass in Blink | |||
| CVE-2021-30575 | high | — | 8.0 | — | Out of bounds write in Autofill in Google Chrome prior to 92.0.4515.107 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML pa… | |||
| CVE-2021-29972 | high | — | 8.0 | — | A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilit… | |||
| CVE-2021-29427 | high | — | 8.0 | — | In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gra… | |||
| CVE-2021-32917 | high | — | 8.0 | — | An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use … | |||
| CVE-2021-32920 | high | — | 8.0 | — | Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. | |||
| CVE-2021-32921 | high | — | 8.0 | — | An issue was discovered in Prosody before 0.11.9. It does not use a constant-time algorithm for comparing certain secret strings when running under Lua 5.2 or later. This can potentially be used in a… | |||
| CVE-2021-29964 | high | — | 8.0 | — | A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process incorrectly, leading to an out-of-bounds read. *This bug only affects Firefox on Windows. Other operat… | |||
| CVE-2021-30574 | high | — | 8.0 | — | Use after free in protocol handling in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-2128 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows low pr… | |||
| CVE-2021-2127 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-38495 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Thunderbird 78.13.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have … | |||
| CVE-2021-30507 | high | — | 8.0 | — | Inappropriate implementation in Offline in Google Chrome on Android prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HT… | |||
| CVE-2021-30530 | high | — | 8.0 | — | Out of bounds memory access in WebAudio in Google Chrome prior to 91.0.4472.77 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2021-23962 | high | — | 8.0 | — | Incorrect use of the '<RowCountChanged>' method could have led to a user-after-poison and a potentially exploitable crash. This vulnerability affects Firefox < 85. | |||
| CVE-2021-2130 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-2145 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high… | |||
| CVE-2021-23963 | high | — | 8.0 | — | When sharing geolocation during an active WebRTC share, Firefox could have reset the webRTC sharing state in the user interface, leading to loss of control over the currently granted permission. This… | |||
| CVE-2021-2280 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows unauth… | |||
| CVE-2021-2284 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows unauth… | |||
| CVE-2021-2286 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows unauth… | |||
| CVE-2021-2309 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high… | |||
| CVE-2021-38510 | high | — | 8.0 | — | The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.*Note: This issue only affected Mac OS operating s… |