CVEs from 2021
Total
4,841
critical
critical 279
high
high 1,005
medium
medium 1,166
low
low 138
% Critical
5.8%
% with KEV
4.4%
% with exploit
5.3%
Top vendors
Top products
- office 13
- primavera_gateway 10
- weblogic_server 9
- modicon_m340_bmxp342020 8
- log4j 8
- primavera_unifier 8
- retail_service_backbone 7
- communications_unified_inventory_management 7
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-32013 | unknown | — | — | 5y ago | Denial of Service in SheetsJS Pro | |||
| CVE-2021-32014 | unknown | — | — | 5y ago | Denial of Service in SheetJS Pro | |||
| CVE-2021-3637 | unknown | — | — | 5y ago | Allocation of resources without limits or throttling in keycloak-model-infinispan | |||
| CVE-2021-38193 | unknown | — | — | 5y ago | An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870. | |||
| CVE-2021-38191 | unknown | — | — | 5y ago | An issue was discovered in the tokio crate before 1.8.1 for Rust. Upon a JoinHandle::abort, a Task may be dropped in the wrong thread. | |||
| CVE-2021-32729 | unknown | — | — | 5y ago | A user without PR can reset user authentication failures information | |||
| CVE-2021-32730 | unknown | — | — | 5y ago | No CSRF protection on the password change form | |||
| CVE-2021-32731 | unknown | — | — | 5y ago | The reset password form reveal users email address | |||
| CVE-2021-21672 | unknown | — | — | 5y ago | XXE vulnerability in Jenkins Selenium HTML report Plugin | |||
| CVE-2021-22119 | unknown | — | — | 5y ago | Resource Exhaustion in Spring Security | |||
| CVE-2021-22135 | unknown | — | — | 5y ago | API information disclosure flaw in Elasticsearch | |||
| CVE-2021-29479 | unknown | — | — | 5y ago | Cached redirect poisoning via X-Forwarded-Host header | |||
| CVE-2021-29480 | unknown | — | — | 5y ago | Ratpack's default client side session signing key is highly predictable | |||
| CVE-2021-29481 | unknown | — | — | 5y ago | Unencrypted storage of client side sessions | |||
| CVE-2021-29485 | unknown | — | — | 5y ago | Remote Code Execution Vulnerability in Session Storage | |||
| CVE-2021-33604 | unknown | — | — | 5y ago | Reflected cross-site scripting in development mode handler in Vaadin 14, 15-19 | |||
| CVE-2021-31412 | unknown | — | — | 5y ago | Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19 | |||
| CVE-2021-34428 | unknown | — | — | 5y ago | SessionListener can prevent a session from being invalidated breaking logout | |||
| CVE-2021-32693 | unknown | — | — | 5y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prio… | |||
| CVE-2021-32623 | unknown | — | — | 5y ago | Billion laughs attack (XML bomb) | |||
| CVE-2021-27568 | unknown | — | — | 5y ago | Improper Check for Unusual or Exceptional Conditions in json-smart | |||
| CVE-2021-27807 | unknown | — | — | 5y ago | Excessive Iteration Denial of Service in Apache PDFBox | |||
| CVE-2021-23331 | unknown | — | — | 5y ago | Insecure temporary file used in com.squareup:connect | |||
| CVE-2021-26919 | unknown | — | — | 5y ago | Arbitrary code execution in Apache Druid | |||
| CVE-2021-20220 | unknown | — | — | 5y ago | HTTP request smuggling in Undertow | |||
| CVE-2021-25122 | unknown | — | — | 5y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat | |||
| CVE-2021-27576 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in Apache OpenMeetings server | |||
| CVE-2021-26117 | unknown | — | — | 5y ago | Improper Authentication in Apache ActiveMQ and Apache Artemis | |||
| CVE-2021-26118 | unknown | — | — | 5y ago | Apache ActiveMQ Artemis vulnerable to Improper Access Control | |||
| CVE-2021-23926 | unknown | — | — | 5y ago | Improper Restriction of Recursive Entity References in Apache XMLBeans | |||
| CVE-2021-23899 | unknown | — | — | 5y ago | Arbitrary code injection in json-sanitizer | |||
| CVE-2021-26296 | unknown | — | — | 5y ago | Cryptographically weak CSRF tokens in Apache MyFaces | |||
| CVE-2021-21620 | unknown | — | — | 5y ago | Cross-Site Request Forgery in the Jenkins Claim plugin | |||
| CVE-2021-21654 | unknown | — | — | 5y ago | Missing Authorization in Jenkins P4 plugin | |||
| CVE-2021-21653 | unknown | — | — | 5y ago | Missing Authorization in jenkins xray-connector | |||
| CVE-2021-21651 | unknown | — | — | 5y ago | Missing Authorization in Jenkins S3 publisher Plugin | |||
| CVE-2021-21650 | unknown | — | — | 5y ago | Missing Authorization in Jenkins S3 publisher Plugin | |||
| CVE-2021-21652 | unknown | — | — | 5y ago | CSRF vulnerability in Jenkins Xray - Test Management for Jira Plugin allows capturing credentials | |||
| CVE-2021-21649 | unknown | — | — | 5y ago | Cross-site Scripting in Jenkins Dashboard View Plugin | |||
| CVE-2021-21648 | unknown | — | — | 5y ago | Cross-Site Request Forgery in Jenkins Credentials Plugin | |||
| CVE-2021-26077 | unknown | — | — | 5y ago | Improper Authentication in Atlassian Connect Spring Boot | |||
| CVE-2021-32053 | unknown | — | — | 5y ago | Uncontrolled Resource Consumption in JPA Server in HAPI FHIR | |||
| CVE-2021-31164 | unknown | — | — | 5y ago | Command injection in Apache Unomi | |||
| CVE-2021-21661 | unknown | — | — | 5y ago | Missing Authorization in Jenkins Kubernetes CLI Plugin | |||
| CVE-2021-21666 | unknown | — | — | 5y ago | Cross-site scripting in Jenkins Kiuwan Plugin | |||
| CVE-2021-20293 | unknown | — | — | 5y ago | Cross-Site Scripting | |||
| CVE-2021-31811 | unknown | — | — | 5y ago | Uncontrolled memory consumption | |||
| CVE-2021-31812 | unknown | — | — | 5y ago | Infinite Loop in Apache PDFBox | |||
| CVE-2021-28169 | unknown | — | — | 5y ago | Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability | |||
| CVE-2021-22160 | unknown | — | — | 5y ago | Improper Verification of Cryptographic Signature in Apache Pulsar in TensorFlow | |||
| CVE-2021-32643 | unknown | — | — | 5y ago | StaticFile.fromUrl can leak presence of a directory | |||
| CVE-2021-25933 | unknown | — | — | 5y ago | Cross-site Scripting in OpenNMS Horizon | |||
| CVE-2021-25929 | unknown | — | — | 5y ago | Cross-site Scripting in OpenNMS Horizon | |||
| CVE-2021-25931 | unknown | — | — | 5y ago | Cross-Site Request Forgery in OpenNMS Horizon | |||
| CVE-2021-25930 | unknown | — | — | 5y ago | Cross-Site Request Forgery in OpenNMS Horizon | |||
| CVE-2021-3536 | unknown | — | — | 5y ago | Cross-site Scripting in Wildfly | |||
| CVE-2021-29506 | unknown | — | — | 5y ago | Navigate endpoint is vulnerable to regex injection that may lead to Denial of Service. | |||
| CVE-2021-29505 | unknown | — | — | 5y ago | XStream is vulnerable to a Remote Command Execution attack | |||
| CVE-2021-32620 | unknown | — | — | 5y ago | XWiki users registered with email verification can self re-activate their disabled accounts | |||
| CVE-2021-32621 | unknown | — | — | 5y ago | Script injection without script or programming rights through Gadget titles | |||
| CVE-2021-23900 | unknown | — | — | 5y ago | Uncaught Exception leading to Denial of Service in json-sanitizer | |||
| CVE-2021-27582 | unknown | — | — | 5y ago | Autobinding vulnerability in MITREid Connect | |||
| CVE-2021-21043 | unknown | — | — | 5y ago | Reflected Cross-site Scripting (XSS) in ACS Commons | |||
| CVE-2021-22696 | unknown | — | — | 5y ago | Authorization service vulnerable to DDos attacks in Apache CFX | |||
| CVE-2021-26715 | unknown | — | — | 5y ago | Server Side Request Forgery (SSRF) in org.mitre:openid-connect-server | |||
| CVE-2021-26544 | unknown | — | — | 5y ago | Apache Livy Cross-site scripting (XSS) in session names | |||
| CVE-2021-27906 | unknown | — | — | 5y ago | Uncontrolled Memory Allocation in Apache PDFBox | |||
| CVE-2021-21424 | unknown | — | — | 5y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling de… | |||
| CVE-2021-23368 | unknown | — | — | 5y ago | The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing. | |||
| CVE-2021-28657 | unknown | — | — | 5y ago | Infinite loop in Apache Tika | |||
| CVE-2021-26074 | unknown | — | — | 5y ago | Broken Authentication in Atlassian Connect Spring Boot | |||
| CVE-2021-22113 | unknown | — | — | 5y ago | Incorrect Authorization in Spring Cloud Netflix Zuul | |||
| CVE-2021-23339 | unknown | — | — | 5y ago | HTTP Request Smuggling in akka-http-core | |||
| CVE-2021-31411 | unknown | — | — | 5y ago | Insecure temporary directory usage in frontend build functionality of Vaadin 14 and 15-19 | |||
| CVE-2021-31409 | unknown | — | — | 5y ago | Regular expression Denial of Service (ReDoS) in EmailValidator class in V7 compatibility module in Vaadin 8 | |||
| CVE-2021-21429 | unknown | — | — | 5y ago | Creation of Temporary File in Directory with Insecure Permissions in the OpenAPI Generator Maven plugin | |||
| CVE-2021-29442 | unknown | — | — | 5y ago | Authentication bypass for specific endpoint | |||
| CVE-2021-29441 | unknown | — | — | 5y ago | Authentication Bypass | |||
| CVE-2021-28168 | unknown | — | — | 5y ago | Local information disclosure via system temporary directory | |||
| CVE-2021-29459 | unknown | — | — | 5y ago | XSS Cross Site Scripting | |||
| CVE-2021-31408 | unknown | — | — | 5y ago | Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19 | |||
| CVE-2021-29451 | unknown | — | — | 5y ago | Missing validation of JWT signature in `ManyDesigns/Portofino` | |||
| CVE-2021-31404 | unknown | — | — | 5y ago | Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18 | |||
| CVE-2021-31403 | unknown | — | — | 5y ago | Timing side channel vulnerability in UIDL request handler in Vaadin 7 and 8 | |||
| CVE-2021-31406 | unknown | — | — | 5y ago | Timing side channel vulnerability in endpoint request handler in Vaadin 15-19 | |||
| CVE-2021-31405 | unknown | — | — | 5y ago | Regular expression denial of service (ReDoS) in EmailField component in Vaadin 14 and 15-17 | |||
| CVE-2021-23369 | unknown | — | — | 5y ago | Remote code execution in handlebars when compiling templates | |||
| CVE-2021-28163 | unknown | — | — | 5y ago | Directory exposure in jetty | |||
| CVE-2021-28100 | unknown | — | — | 5y ago | Netflix/Priam: Temporary Directory Information Disclosure | |||
| CVE-2021-28099 | unknown | — | — | 5y ago | Insecure temporary file in Netflix OSS Hollow | |||
| CVE-2021-21380 | unknown | — | — | 5y ago | Rating Script Service expose XWiki to SQL injection | |||
| CVE-2021-21379 | unknown | — | — | 5y ago | It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macro | |||
| CVE-2021-21351 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21350 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21349 | unknown | — | — | 5y ago | A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host | |||
| CVE-2021-21348 | unknown | — | — | 5y ago | XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos) | |||
| CVE-2021-21347 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21346 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack | |||
| CVE-2021-21345 | unknown | — | — | 5y ago | XStream is vulnerable to a Remote Command Execution attack | |||
| CVE-2021-21344 | unknown | — | — | 5y ago | XStream is vulnerable to an Arbitrary Code Execution attack |