CVEs from 2021
Total
4,866
critical
critical 279
high
high 1,007
medium
medium 1,166
low
low 136
% Critical
5.7%
% with KEV
4.4%
% with exploit
4.7%
Top vendors
Top products
- office 13
- primavera_gateway 10
- weblogic_server 9
- modicon_m340_bmxp342020 8
- log4j 8
- primavera_unifier 8
- retail_service_backbone 7
- communications_unified_inventory_management 7
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-27905 | medium | — | 5.5 | 5y ago | Server-Side Request Forgery in Apache Solr | |||
| CVE-2021-29943 | medium | — | 5.5 | 5y ago | Incorrect Authorization in Apache Solr | |||
| CVE-2021-21419 | medium | — | 5.5 | 5y ago | Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side… | |||
| CVE-2021-23362 | medium | — | 5.5 | 5y ago | RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-22885 | medium | — | 5.5 | 5y ago | A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. | |||
| CVE-2021-22904 | medium | — | 5.5 | 5y ago | The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive … | |||
| CVE-2021-22903 | medium | — | 5.5 | 5y ago | The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Author… | |||
| CVE-2021-22902 | medium | — | 5.5 | 5y ago | The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of A… | |||
| CVE-2021-31799 | medium | — | 5.5 | 5y ago | RHSA-2022:0672: ruby:2.5 security update (Moderate) | |||
| CVE-2021-23841 | medium | — | 5.5 | 5y ago | RHSA-2021:4424: openssl security and bug fix update (Moderate) | |||
| CVE-2021-23840 | medium | — | 5.5 | 5y ago | RHSA-2021:4424: openssl security and bug fix update (Moderate) | |||
| CVE-2021-29472 | medium | — | 5.5 | 5y ago | Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial | |||
| CVE-2021-29425 | medium | — | 5.5 | 5y ago | Path Traversal and Improper Input Validation in Apache Commons IO | |||
| CVE-2021-20270 | medium | — | 5.5 | 5y ago | RHSA-2021:4151: python27:2.7 security update (Moderate) | |||
| CVE-2021-29421 | medium | — | 5.5 | 5y ago | models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries. | |||
| CVE-2021-2163 | medium | — | 5.5 | 5y ago | RHSA-2022:6735: java-1.8.0-ibm security update (Moderate) | |||
| CVE-2021-3115 | medium | — | 5.5 | 5y ago | RHSA-2021:1746: go-toolset:rhel8 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-23991 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-29949 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23992 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-23993 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-29950 | medium | — | 5.5 | 5y ago | RHSA-2021:1193: thunderbird security update (Moderate) | |||
| CVE-2021-20295 | medium | — | 5.5 | 5y ago | RHSA-2021:1064: virt:rhel and virt-devel:rhel security update (Moderate) | |||
| CVE-2021-28965 | medium | — | 5.5 | 5y ago | RHSA-2021:2588: ruby:2.6 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-3447 | medium | — | 5.5 | 5y ago | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controlle… | |||
| CVE-2021-21409 | medium | — | 5.5 | 5y ago | Possible request smuggling in HTTP/2 due missing validation of content-length | |||
| CVE-2021-25291 | medium | — | 5.5 | 5y ago | An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there is an out-of-bounds read in TiffreadRGBATile via invalid tile boundaries. | |||
| CVE-2021-25292 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25290 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25293 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-25289 | medium | — | 5.5 | 5y ago | An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap-based buffer overflow when decoding crafted YCbCr files because of certain interpretation conflicts with LibTIFF in RGBA mode. NO… | |||
| CVE-2021-27291 | medium | — | 5.5 | 5y ago | RHSA-2021:4151: python27:2.7 security update (Moderate) | |||
| CVE-2021-28834 | medium | — | 5.5 | 5y ago | Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated. | |||
| CVE-2021-28957 | medium | — | 5.5 | 5y ago | RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate) | |||
| CVE-2021-27290 | medium | — | 5.5 | 5y ago | RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-27922 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-27921 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-27923 | medium | — | 5.5 | 5y ago | RHSA-2021:4149: python-pillow security update (Moderate) | |||
| CVE-2021-21295 | medium | — | 5.5 | 5y ago | Possible request smuggling in HTTP/2 due missing validation | |||
| CVE-2021-28305 | medium | — | 5.5 | 5y ago | An issue was discovered in the diesel crate before 1.4.6 for Rust. There is a use-after-free in the SQLite backend because the semantics of sqlite3_column_name are not followed. | |||
| CVE-2021-21306 | medium | — | 5.5 | 5y ago | Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. Thi… | |||
| CVE-2021-21290 | medium | — | 5.5 | 5y ago | Local Information Disclosure Vulnerability in Netty on Unix-Like systems | |||
| CVE-2021-21240 | medium | — | 5.5 | 5y ago | httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header… | |||
| CVE-2021-3715 | medium | — | 5.5 | 6y ago | RHSA-2020:4609: kernel-rt security and bug fix update (Moderate) | |||
| CVE-2021-2007 | medium | — | 5.5 | 6y ago | RHSA-2020:5503: mariadb-connector-c security, bug fix, and enhancement update (Moderate) | |||
| CVE-2021-47981 | medium | 5.4 | 5.4 | 14d ago | Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription par… | |||
| CVE-2021-47955 | medium | 5.4 | 5.4 | 14d ago | CouchCMS 2.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG files through the file upload functionality… | |||
| CVE-2021-47948 | medium | 5.4 | 5.4 | 20d ago | WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Attackers… | |||
| CVE-2021-47870 | medium | 5.4 | 5.4 | 4mo ago | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypasse… | |||
| CVE-2021-47817 | medium | 5.4 | 5.4 | 4mo ago | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability in user profile parameters that authenticated attackers can chain with a file upload to achieve remote code execution. Attackers can expl… | |||
| CVE-2021-45479 | medium | 5.4 | 5.4 | 3y ago | Improper Neutralization of Input During Web Page Generation vulnerability in Yordam Information Technologies Library Automation System allows Stored XSS. This issue affects Library Automation System… | |||
| CVE-2021-47934 | medium | 5.3 | 5.3 | 14d ago | MyBB Timeline Plugin 1.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through thread titles, post content, and user profile fields like Location and … | |||
| CVE-2021-47946 | medium | 5.3 | 5.3 | 20d ago | OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiti… | |||
| CVE-2021-45475 | medium | 5.3 | 5.3 | 4y ago | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability. | |||
| CVE-2021-44795 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitat… | |||
| CVE-2021-44794 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "sc-diagnostic-ui" module. A remote attacker could exploit this vulnerability to access the device information page. The exploita… | |||
| CVE-2021-44792 | medium | 5.3 | 5.3 | 4y ago | Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of thi… | |||
| CVE-2021-35556 | medium | 5.3 | 5.3 | 5y ago | RHSA-2022:0345: java-1.8.0-ibm security update (Important) | |||
| CVE-2021-3806 | medium | 5.3 | 5.3 | 5y ago | A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system. | |||
| CVE-2021-22764 | medium | 5.3 | 5.3 | 5y ago | A CWE-287: Improper Authentication vulnerability exists in PowerLogic PM55xx, PowerLogic PM8ECC, PowerLogic EGX100 and PowerLogic EGX300 (see security notification for version infromation) that could… | |||
| CVE-2021-22897 | medium | 5.3 | 5.3 | 5y ago | curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The s… | |||
| CVE-2021-31944 | medium | 5.0 | 5.0 | 5y ago | 3D Viewer Information Disclosure Vulnerability | |||
| CVE-2021-45476 | medium | 4.7 | 4.7 | 4y ago | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability. | |||
| CVE-2021-22701 | medium | 4.5 | 4.5 | 5y ago | A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that c… | |||
| CVE-2021-47958 | medium | 4.3 | 4.3 | 15d ago | CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG file… | |||
| CVE-2021-47953 | medium | 4.3 | 4.3 | 20d ago | OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick a… | |||
| CVE-2021-44529 | unknown | — | 2.5 | 2y ago | Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability that allows an unauthenticated user to execute malicious code with limited permissions (nobody). | |||
| CVE-2021-27877 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme. | |||
| CVE-2021-27878 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine. | |||
| CVE-2021-27876 | unknown | — | 2.5 | 3y ago | Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Ag… | |||
| CVE-2021-35587 | unknown | — | 2.5 | 4y ago | Oracle Fusion Middleware Access Manager allows an unauthenticated attacker with network access via HTTP to takeover the Access Manager product. | |||
| CVE-2021-3493 | unknown | — | 2.5 | 4y ago | The overlayfs stacking file system in Linux kernel does not properly validate the application of file capabilities against user namespaces, which could lead to privilege escalation. | |||
| CVE-2021-31166 | unknown | — | 2.5 | 4y ago | Microsoft HTTP Protocol Stack contains a vulnerability in http.sys that allows for remote code execution. | |||
| CVE-2021-21551 | unknown | — | 2.5 | 4y ago | Dell dbutil driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial-of-service (DoS), or information disclosure. | |||
| CVE-2021-42237 | unknown | — | 2.5 | 4y ago | Sitcore XP contains an insecure deserialization vulnerability which can allow for remote code execution. | |||
| CVE-2021-36934 | unknown | — | 2.5 | 4y ago | If a Volume Shadow Copy (VSS) shadow copy of the system drive is available, users can read the SAM file which would allow any user to escalate privileges to SYSTEM level. | |||
| CVE-2021-25296 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-25297 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-25298 | unknown | — | 2.5 | 4y ago | Nagios XI contains a vulnerability which can lead to OS command injection on the Nagios XI server. | |||
| CVE-2021-21975 | unknown | — | 2.5 | 4y ago | Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to s… | |||
| CVE-2021-36260 | unknown | — | 2.5 | 4y ago | A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation. | |||
| CVE-2021-45046 | unknown | — | 2.5 | 5y ago | Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in… | |||
| CVE-2021-44077 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution | |||
| CVE-2021-40449 | unknown | — | 2.5 | 5y ago | Unspecified vulnerability allows for an authenticated user to escalate privileges. | |||
| CVE-2021-42321 | unknown | — | 2.5 | 5y ago | An authenticated attacker could leverage improper validation in cmdlet arguments within Microsoft Exchange and perform remote code execution. | |||
| CVE-2021-34473 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-40539 | unknown | — | 2.5 | 5y ago | Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution. | |||
| CVE-2021-35464 | unknown | — | 2.5 | 5y ago | ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFram… | |||
| CVE-2021-22986 | unknown | — | 2.5 | 5y ago | F5 BIG-IP and BIG-IQ Centralized Management contain a remote code execution vulnerability in the iControl REST interface that allows unauthenticated attackers with network access to execute system co… | |||
| CVE-2021-1732 | unknown | — | 2.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2021-36942 | unknown | — | 2.5 | 5y ago | Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability allowing an unauthenticated attacker to call a method on the LSARPC interface and coerce the domain controller to au… | |||
| CVE-2021-1498 | unknown | — | 2.5 | 5y ago | Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the tomcat8 user. | |||
| CVE-2021-26855 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-27065 | unknown | — | 2.5 | 5y ago | Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain. | |||
| CVE-2021-1497 | unknown | — | 2.5 | 5y ago | Cisco HyperFlex HX Installer Virtual Machine contains an insufficient input validation vulnerability which could allow an attacker to execute commands on an affected device as the root user. | |||
| CVE-2021-1675 | unknown | — | 2.5 | 5y ago | Microsoft Windows Print Spooler contains an unspecified vulnerability that allows for remote code execution. | |||
| CVE-2021-42258 | unknown | — | 2.5 | 5y ago | BQE BillQuick Web Suite contains an SQL injection vulnerability when accessing the username parameter that may allow for unauthenticated, remote code execution. | |||
| CVE-2021-26084 | unknown | — | 2.5 | 5y ago | Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code. | |||
| CVE-2021-30657 | unknown | — | 2.5 | 5y ago | Apple macOS contains an unspecified logic issue in System Preferences that may allow a malicious application to bypass Gatekeeper checks. | |||
| CVE-2021-38648 | unknown | — | 2.5 | 5y ago | Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing privilege escalation. |