CVEs from 2021
Total
4,791
critical
critical 281
high
high 1,022
medium
medium 1,179
low
low 138
% Critical
5.9%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- simatic_wincc_runtime_advanced 28
- office 13
- primavera_gateway 10
- weblogic_server 9
- primavera_unifier 8
- modicon_m340_bmxp342020 8
- log4j 8
- mbed_tls 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-35540 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.28. Easily exploitable vulnerability allows low pr… | |||
| CVE-2021-37993 | high | — | 8.0 | — | Use after free in PDF Accessibility in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21172 | high | — | 8.0 | — | Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 89.0.4389.72 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |||
| CVE-2021-21225 | high | — | 8.0 | — | Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-39866 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-30614 | high | — | 8.0 | — | Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip | |||
| CVE-2021-37970 | high | — | 8.0 | — | Use after free in File System API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-2306 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-38017 | high | — | 8.0 | — | Insufficient policy enforcement in iframe sandbox in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2021-29975 | high | — | 8.0 | — | Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly… | |||
| CVE-2021-4066 | high | — | 8.0 | — | Integer underflow in ANGLE in Google Chrome prior to 96.0.4664.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21232 | high | — | 8.0 | — | Use after free in Dev Tools in Google Chrome prior to 90.0.4430.93 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30623 | high | — | 8.0 | — | Chromium: CVE-2021-30623 Use after free in Bookmarks | |||
| CVE-2021-37959 | high | — | 8.0 | — | Use after free in Task Manager in Google Chrome prior to 94.0.4606.54 allowed an attacker who convinced a user to enage in a series of user gestures to potentially exploit heap corruption via a craft… | |||
| CVE-2021-38002 | high | — | 8.0 | — | Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2021-26925 | high | — | 8.0 | — | Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. | |||
| CVE-2021-30512 | high | — | 8.0 | — | Use after free in Notifications in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML pa… | |||
| CVE-2021-29971 | high | — | 8.0 | — | If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects … | |||
| CVE-2021-29157 | high | — | 8.0 | — | Dovecot before 2.3.15 allows ../ Path Traversal. An attacker with access to the local filesystem can trick OAuth2 authentication into using an HS256 validation key from an attacker-controlled locatio… | |||
| CVE-2021-21106 | high | — | 8.0 | — | Use after free in autofill in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2021-39882 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-30559 | high | — | 8.0 | — | Out of bounds write in ANGLE in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30571 | high | — | 8.0 | — | Insufficient policy enforcement in DevTools in Google Chrome prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape v… | |||
| CVE-2021-30626 | high | — | 8.0 | — | Out of bounds memory access in ANGLE in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-2126 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-2283 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Easily exploitable vulnerability allows unauth… | |||
| CVE-2021-37971 | high | — | 8.0 | — | Incorrect security UI in Web Browser UI in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |||
| CVE-2021-2121 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-4076 | high | — | 8.0 | — | A flaw exists in tang, a network-based cryptographic binding server, which could result in leak of private keys. | |||
| CVE-2021-39919 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-22945 | high | — | 8.0 | — | When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call t… | |||
| CVE-2021-23970 | high | — | 8.0 | — | Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. This vulnerability affects Firefox < 86. | |||
| CVE-2021-22167 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-3405 | high | — | 8.0 | — | A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml. | |||
| CVE-2021-23965 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Firefox 84. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2021-37977 | high | — | 8.0 | — | Use after free in Garbage Collection in Google Chrome prior to 94.0.4606.81 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-23971 | high | — | 8.0 | — | When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the… | |||
| CVE-2021-23972 | high | — | 8.0 | — | One phishing tactic on the web is to provide a link with HTTP Auth. For example 'https://www.phishingtarget.com@evil.com'. To mitigate this type of attack, Firefox will display a warning dialog; howe… | |||
| CVE-2021-37981 | high | — | 8.0 | — | Heap buffer overflow in Skia in Google Chrome prior to 95.0.4638.54 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2021-37965 | high | — | 8.0 | — | Inappropriate implementation in Background Fetch API in Google Chrome prior to 94.0.4606.54 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-23986 | high | — | 8.0 | — | A malicious extension with the 'search' permission could have installed a new search engine whose favicon referenced a cross-origin URL. The response to this cross-origin request could have been read… | |||
| CVE-2021-30528 | high | — | 8.0 | — | Use after free in WebAuthentication in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker who had compromised the renderer process of a user who had saved a credit card in their… | |||
| CVE-2021-23975 | high | — | 8.0 | — | The developer page about:memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the sizeof funct… | |||
| CVE-2021-30514 | high | — | 8.0 | — | Use after free in Autofill in Google Chrome prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-23983 | high | — | 8.0 | — | By causing a transition on a parent node by removing a CSS rule, an invalid property for a marker could have been applied, resulting in memory corruption and a potentially exploitable crash. This vul… | |||
| CVE-2021-23988 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Firefox 86. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2021-23985 | high | — | 8.0 | — | If an attacker is able to alter specific about:config values (for example malware running on the user's computer), the Devtools remote debugging feature could have been enabled in a way that was unno… | |||
| CVE-2021-22208 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-22211 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-29503 | high | — | 8.0 | — | cross-site scripting in hedgedoc | |||
| CVE-2021-37992 | high | — | 8.0 | — | Out of bounds read in WebAudio in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-29947 | high | — | 8.0 | — | Mozilla developers and community members reported memory safety bugs present in Firefox 87. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of thes… | |||
| CVE-2021-43540 | high | — | 8.0 | — | WebExtensions with the correct permissions were able to create and install ServiceWorkers for third-party websites that would not have been uninstalled with the extension. This vulnerability affects … | |||
| CVE-2021-23979 | high | — | 8.0 | — | Mozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been expl… | |||
| CVE-2021-37996 | high | — | 8.0 | — | Insufficient validation of untrusted input Downloads in Google Chrome prior to 95.0.4638.54 allowed a remote attacker to bypass navigation restrictions via a malicious file. | |||
| CVE-2021-30588 | high | — | 8.0 | — | Type confusion in V8 in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-38016 | high | — | 8.0 | — | Insufficient policy enforcement in background fetch in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to bypass same origin policy via a crafted HTML page. | |||
| CVE-2021-38011 | high | — | 8.0 | — | Use after free in storage foundation in Google Chrome prior to 96.0.4664.45 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-39911 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-38001 | high | — | 8.0 | — | Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30594 | high | — | 8.0 | — | Use after free in Page Info UI in Google Chrome prior to 92.0.4515.131 allowed a remote attacker to potentially exploit heap corruption via physical access to the device. | |||
| CVE-2021-30616 | high | — | 8.0 | — | Chromium: CVE-2021-30616 Use after free in Media | |||
| CVE-2021-43396 | high | — | 8.0 | — | In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an inter… | |||
| CVE-2021-21115 | high | — | 8.0 | — | User after free in safe browsing in Google Chrome prior to 87.0.4280.141 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML … | |||
| CVE-2021-38010 | high | — | 8.0 | — | Inappropriate implementation in service workers in Google Chrome prior to 96.0.4664.45 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML p… | |||
| CVE-2021-22223 | high | — | 8.0 | — | multiple issues in gitlab | |||
| CVE-2021-21164 | high | — | 8.0 | — | Insufficient data validation in Chrome on iOS in Google Chrome on iOS prior to 89.0.4389.72 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-21153 | high | — | 8.0 | — | Stack buffer overflow in GPU Process in Google Chrome on Linux prior to 88.0.4324.182 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |||
| CVE-2021-21192 | high | — | 8.0 | — | Heap buffer overflow in tab groups in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21114 | high | — | 8.0 | — | Use after free in audio in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30597 | high | — | 8.0 | — | Use after free in Browser UI in Google Chrome on Chrome prior to 92.0.4515.131 allowed a remote attacker to potentially exploit heap corruption via physical access to the device. | |||
| CVE-2021-30627 | high | — | 8.0 | — | Type confusion in Blink layout in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30584 | high | — | 8.0 | — | Incorrect security UI in Downloads in Google Chrome on Android prior to 92.0.4515.107 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2021-28660 | high | — | 8.0 | — | rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c in the Linux kernel through 5.11.6 allows writing beyond the end of the ->ssid[] array. NOTE: from the perspective of kernel.org rele… | |||
| CVE-2021-30572 | high | — | 8.0 | — | Use after free in Autofill in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-30565 | high | — | 8.0 | — | Out of bounds write in Tab Groups in Google Chrome on Linux and ChromeOS prior to 92.0.4515.107 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds m… | |||
| CVE-2021-26910 | high | — | 8.0 | — | Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation. | |||
| CVE-2021-32918 | high | — | 8.0 | — | An issue was discovered in Prosody before 0.11.9. Default settings are susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.… | |||
| CVE-2021-32919 | high | — | 8.0 | — | An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not co… | |||
| CVE-2021-2442 | high | — | 8.0 | — | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.24. Easily exploitable vulnerability allows high p… | |||
| CVE-2021-44879 | high | — | 8.0 | — | In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference. | |||
| CVE-2021-21195 | high | — | 8.0 | — | Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21185 | high | — | 8.0 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 89.0.4389.72 allowed an attacker who convinced a user to install a malicious extension to obtain sensitive information via a cr… | |||
| CVE-2021-29265 | high | — | 8.0 | — | An issue was discovered in the Linux kernel before 5.11.7. usbip_sockfd_store in drivers/usb/usbip/stub_dev.c allows attackers to cause a denial of service (GPF) because the stub-up sequence has race… | |||
| CVE-2021-21189 | high | — | 8.0 | — | Insufficient policy enforcement in payments in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2021-21191 | high | — | 8.0 | — | Use after free in WebRTC in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |||
| CVE-2021-21201 | high | — | 8.0 | — | Use after free in permissions in Google Chrome prior to 90.0.4430.72 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2021-21205 | high | — | 8.0 | — | Insufficient policy enforcement in navigation in Google Chrome on iOS prior to 90.0.4430.72 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |||
| CVE-2021-21207 | high | — | 8.0 | — | Use after free in IndexedDB in Google Chrome prior to 90.0.4430.72 allowed an attacker who convinced a user to install a malicious extension to potentially perform a sandbox escape via a crafted Chro… | |||
| CVE-2021-21210 | high | — | 8.0 | — | Inappropriate implementation in Network in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to potentially access local UDP ports via a crafted HTML page. | |||
| CVE-2021-30630 | high | — | 8.0 | — | Inappropriate implementation in Blink in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. | |||
| CVE-2021-21212 | high | — | 8.0 | — | Incorrect security UI in Network Config UI in Google Chrome on ChromeOS prior to 90.0.4430.72 allowed a remote attacker to potentially compromise WiFi connection security via a malicious WAP. | |||
| CVE-2021-21208 | high | — | 8.0 | — | Insufficient data validation in QR scanner in Google Chrome on iOS prior to 90.0.4430.72 allowed an attacker displaying a QR code to perform domain spoofing via a crafted QR code. | |||
| CVE-2021-21198 | high | — | 8.0 | — | Out of bounds read in IPC in Google Chrome prior to 89.0.4389.114 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2021-21218 | high | — | 8.0 | — | Uninitialized data in PDFium in Google Chrome prior to 90.0.4430.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted PDF file. | |||
| CVE-2021-21229 | high | — | 8.0 | — | Incorrect security UI in downloads in Google Chrome on Android prior to 90.0.4430.93 allowed a remote attacker to perform domain spoofing via a crafted HTML page. | |||
| CVE-2021-21223 | high | — | 8.0 | — | Integer overflow in Mojo in Google Chrome prior to 90.0.4430.85 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |||
| CVE-2021-3781 | high | — | 8.0 | — | A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document… | |||
| CVE-2021-29964 | high | — | 8.0 | — | A locally-installed hostile program could send `WM_COPYDATA` messages that Firefox would process incorrectly, leading to an out-of-bounds read. *This bug only affects Firefox on Windows. Other operat… | |||
| CVE-2021-32749 | high | — | 8.0 | — | fail2ban is a daemon to ban hosts that cause multiple authentication errors. In versions 0.9.7 and prior, 0.10.0 through 0.10.6, and 0.11.0 through 0.11.2, there is a vulnerability that leads to poss… |