CVEs from 2021
Total
6,258
critical
critical 272
high
high 976
medium
medium 1,141
low
low 135
% Critical
4.3%
% with KEV
3.4%
% with exploit
3.4%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-3156 | critical | — | 10.0 | 4y ago | Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation. | |
| CVE-2021-4102 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-44228 | critical | — | 10.0 | 5y ago | Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. | |
| CVE-2021-42013 | critical | — | 10.0 | 5y ago | Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under defa… | |
| CVE-2021-22205 | critical | — | 10.0 | 5y ago | GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through Exi… | |
| CVE-2021-21148 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a heap buffer overflow vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect m… | |
| CVE-2021-30551 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a type confusion vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-47952 | critical | 9.8 | 9.8 | 11d ago | python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. … | |
| CVE-2021-47965 | critical | 9.8 | 9.8 | 12d ago | WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation.… | |
| CVE-2021-47940 | critical | 9.8 | 9.8 | 17d ago | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fi… | |
| CVE-2021-47936 | critical | 9.8 | 9.8 | 17d ago | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Att… | |
| CVE-2021-47933 | critical | 9.8 | 9.8 | 17d ago | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers… | |
| CVE-2021-47932 | critical | 9.8 | 9.8 | 17d ago | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler… | |
| CVE-2021-47923 | critical | 9.8 | 9.8 | 17d ago | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID c… | |
| CVE-2021-3854 | critical | 9.8 | 9.8 | 3y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before … | |
| CVE-2021-4105 | critical | 9.8 | 9.8 | 3y ago | Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion. This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727. | |
| CVE-2021-3825 | critical | 9.6 | 9.6 | 5y ago | On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP crede… | |
| CVE-2021-26675 | critical | — | 9.5 | — | A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code. | |
| CVE-2021-22196 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21145 | critical | — | 9.5 | — | Use after free in Fonts in Google Chrome prior to 88.0.4324.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30552 | critical | — | 9.5 | — | Use after free in Extensions in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTM… | |
| CVE-2021-21139 | critical | — | 9.5 | — | Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |
| CVE-2021-28682 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-30553 | critical | — | 9.5 | — | Use after free in Network service in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22202 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21144 | critical | — | 9.5 | — | Heap buffer overflow in Tab Groups in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a craft… | |
| CVE-2021-21146 | critical | — | 9.5 | — | Use after free in Navigation in Google Chrome prior to 88.0.4324.146 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-31864 | critical | — | 9.5 | — | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. | |
| CVE-2021-21138 | critical | — | 9.5 | — | Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file. | |
| CVE-2021-21143 | critical | — | 9.5 | — | Heap buffer overflow in Extensions in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a craft… | |
| CVE-2021-21120 | critical | — | 9.5 | — | Use after free in WebSQL in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-4099 | critical | — | 9.5 | — | Use after free in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21124 | critical | — | 9.5 | — | Potential user after free in Speech Recognizer in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-21121 | critical | — | 9.5 | — | Use after free in Omnibox in Google Chrome on Linux prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-22201 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21123 | critical | — | 9.5 | — | Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-31921 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21141 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass file extension policy via a crafted HTML page. | |
| CVE-2021-30545 | critical | — | 9.5 | — | Use after free in Extensions in Google Chrome prior to 91.0.4472.101 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21140 | critical | — | 9.5 | — | Uninitialized use in USB in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform out of bounds memory access via via a USB device. | |
| CVE-2021-30549 | critical | — | 9.5 | — | Use after free in Spell check in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HT… | |
| CVE-2021-22192 | critical | — | 9.5 | — | arbitrary code execution in gitlab | |
| CVE-2021-21126 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. | |
| CVE-2021-21122 | critical | — | 9.5 | — | Use after free in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21134 | critical | — | 9.5 | — | Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page. | |
| CVE-2021-21130 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-31866 | critical | — | 9.5 | — | Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController… | |
| CVE-2021-21119 | critical | — | 9.5 | — | Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22199 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21125 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21135 | critical | — | 9.5 | — | Inappropriate implementation in Performance API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2021-30546 | critical | — | 9.5 | — | Use after free in Autofill in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-34824 | critical | — | 9.5 | — | information disclosure in istio | |
| CVE-2021-29274 | critical | — | 9.5 | — | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. | |
| CVE-2021-31920 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-29492 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-30548 | critical | — | 9.5 | — | Use after free in Loader in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21131 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21127 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass content security policy via a crafted Chrome Extension. | |
| CVE-2021-30550 | critical | — | 9.5 | — | Use after free in Accessibility in Google Chrome prior to 91.0.4472.101 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted … | |
| CVE-2021-29258 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-22198 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-30544 | critical | — | 9.5 | — | Use after free in BFCache in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-28683 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21136 | critical | — | 9.5 | — | Insufficient policy enforcement in WebView in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2021-21133 | critical | — | 9.5 | — | Insufficient policy enforcement in Downloads in Google Chrome prior to 88.0.4324.96 allowed an attacker who convinced a user to download files to bypass navigation restrictions via a crafted HTML pag… | |
| CVE-2021-21147 | critical | — | 9.5 | — | Inappropriate implementation in Skia in Google Chrome prior to 88.0.4324.146 allowed a local attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. | |
| CVE-2021-21118 | critical | — | 9.5 | — | Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |
| CVE-2021-31865 | critical | — | 9.5 | — | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. | |
| CVE-2021-22203 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22200 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21132 | critical | — | 9.5 | — | Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension. | |
| CVE-2021-4101 | critical | — | 9.5 | — | Heap buffer overflow in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30163 | critical | — | 9.5 | — | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. | |
| CVE-2021-21117 | critical | — | 9.5 | — | Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file. | |
| CVE-2021-4098 | critical | — | 9.5 | — | Insufficient data validation in Mojo in Google Chrome prior to 96.0.4664.110 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted H… | |
| CVE-2021-29953 | critical | — | 9.5 | — | A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerab… | |
| CVE-2021-21128 | critical | — | 9.5 | — | Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21129 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21137 | critical | — | 9.5 | — | Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page. | |
| CVE-2021-26676 | critical | — | 9.5 | — | gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp. | |
| CVE-2021-3345 | critical | — | 9.5 | — | _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1… | |
| CVE-2021-22197 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-30164 | critical | — | 9.5 | — | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. | |
| CVE-2021-31863 | critical | — | 9.5 | — | Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by th… | |
| CVE-2021-4100 | critical | — | 9.5 | — | Object lifecycle issue in ANGLE in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21142 | critical | — | 9.5 | — | Use after free in Payments in Google Chrome on Mac prior to 88.0.4324.146 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-39935 | high | — | 9.5 | 4mo ago | GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. | |
| CVE-2021-22555 | high | — | 9.5 | 8mo ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2021-43798 | high | — | 9.5 | 2y ago | Grafana contains a path traversal vulnerability that could allow access to local files. | |
| CVE-2021-3560 | high | — | 9.5 | 3y ago | Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. | |
| CVE-2021-30533 | high | — | 9.5 | 4y ago | Google Chromium PopupBlocker contains an insufficient policy enforcement vulnerability that allows a remote attacker to bypass navigation restrictions via a crafted iframe. This vulnerability could a… | |
| CVE-2021-4034 | high | — | 9.5 | 4y ago | Important: polkit security update | |
| CVE-2021-21686 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21687 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21694 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21688 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21690 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21685 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21692 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins |