CVEs from 2021
Total
6,087
critical
critical 273
high
high 975
medium
medium 1,141
low
low 135
% Critical
4.5%
% with KEV
3.5%
% with exploit
3.5%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-26813 | low | — | 2.5 | 5y ago | markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regular expression denial of service vulnerability. If an attacker provides a malicious string, it can make markdown2 processing difficult or de… | |
| CVE-2021-20201 | low | — | 2.5 | 5y ago | Low: spice security update | |
| CVE-2021-32618 | low | — | 2.5 | 5y ago | The Python "Flask-Security-Too" package is used for adding security features to your Flask application. It is an is an independently maintained version of Flask-Security based on the 3.0.0 version of… | |
| CVE-2021-27919 | low | — | 2.5 | 5y ago | archive/zip in Go 1.16.x before 1.16.1 allows attackers to cause a denial of service (panic) upon attempted use of the Reader.Open API for a ZIP archive in which ../ occurs at the beginning of any fi… | |
| CVE-2021-28658 | low | — | 2.5 | 5y ago | In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3.1.8, MultiPartParser allowed directory traversal via uploaded files with suitably crafted file names. Built-in upload handlers were no… | |
| CVE-2021-3281 | low | — | 2.5 | 5y ago | In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal … | |
| CVE-2021-21330 | low | — | 2.5 | 5y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based… | |
| CVE-2021-21236 | low | — | 2.5 | 6y ago | CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When process… | |
| CVE-2021-44026 | unknown | — | 1.5 | 3y ago | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | |
| CVE-2021-45046 | unknown | — | 1.5 | 5y ago | Incomplete fix for Apache Log4j vulnerability | |
| CVE-2021-36692 | unknown | — | — | — | libjxl v0.3.7 is affected by a Divide By Zero in issue in lib/extras/codec_apng.cc jxl::DecodeImageAPNG(). When encoding a malicous APNG file using cjxl, an attacker can trigger a denial of service. | |
| CVE-2021-45928 | unknown | — | — | — | libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and other products, has an out-of-bounds write in jxl::ModularFrameDecoder::DecodeGroup (called from jxl::FrameDecoder::ProcessACGroup and jxl::… | |
| CVE-2021-44025 | unknown | — | — | — | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | |
| CVE-2021-33054 | unknown | — | — | — | SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users whe… | |
| CVE-2021-20001 | unknown | — | — | — | It was discovered, that debian-edu-config, a set of configuration files used for the Debian Edu blend, before 2.12.16 configured insecure permissions for the user web shares (~/public_html), which co… | |
| CVE-2021-27804 | unknown | — | — | — | JPEG XL (aka jpeg-xl) through 0.3.2 allows writable memory corruption. | |
| CVE-2021-36691 | unknown | — | — | — | libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). When encoding a malicous GIF file using cjxl, an attacker can trigger a denial of service. | |
| CVE-2021-46144 | unknown | — | — | — | Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. | |
| CVE-2021-40874 | unknown | — | — | — | An issue was discovered in LemonLDAP::NG (aka lemonldap-ng) 2.0.13. When using the RESTServer plug-in to operate a REST password validation service (for another LemonLDAP::NG instance, for example) a… | |
| CVE-2021-28026 | unknown | — | — | — | jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a de… | |
| CVE-2021-35473 | unknown | — | — | — | An issue was discovered in LemonLDAP::NG before 2.0.12. There is a missing expiration check in the OAuth2.0 handler, i.e., it does not verify access token validity. An attacker can use a expired acce… | |
| CVE-2021-35472 | unknown | — | — | — | An issue was discovered in LemonLDAP::NG before 2.0.12. Session cache corruption can lead to authorization bypass or spoofing. By running a loop that makes many authentication attempts, an attacker m… | |
| CVE-2021-3754 | unknown | — | — | 2y ago | Keycloak's improper input validation allows using email as username | |
| CVE-2021-37942 | unknown | — | — | 3y ago | APM Java Agent Local Privilege Escalation issue | |
| CVE-2021-46877 | unknown | — | — | 3y ago | jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode | |
| CVE-2021-37305 | unknown | — | — | 3y ago | Insecure Permissions issue in jeecg-boot | |
| CVE-2021-3856 | unknown | — | — | 4y ago | Keycloak has Files or Directories Accessible to External Parties | |
| CVE-2021-3859 | unknown | — | — | 4y ago | Undertow vulnerable to Denial of Service (DoS) attacks | |
| CVE-2021-44791 | unknown | — | — | 4y ago | Apache Druid before 0.23.0 vulnerable to reflected XSS via unescaped URL parameters | |
| CVE-2021-41042 | unknown | — | — | 4y ago | XML External Entity Reference in Eclipse Lyo | |
| CVE-2021-43116 | unknown | — | — | 4y ago | Use of Hard-coded Credentials in Nacos | |
| CVE-2021-33036 | unknown | — | — | 4y ago | User account escalation in Apache Hadoop | |
| CVE-2021-40660 | unknown | — | — | 4y ago | Regular expression denial of service in Delight Nashorn Sandbox | |
| CVE-2021-33330 | unknown | — | — | 4y ago | Exposure of Resource to Wrong Sphere in Liferay Portal | |
| CVE-2021-42697 | unknown | — | — | 4y ago | Uncontrolled Recursion in Akka HTTP | |
| CVE-2021-22047 | unknown | — | — | 4y ago | Exposure of Resource to Wrong Sphere in Spring Data REST | |
| CVE-2021-3869 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Stanford CoreNLP | |
| CVE-2021-3878 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Stanford CoreNLP | |
| CVE-2021-21677 | unknown | — | — | 4y ago | RCE vulnerability in Jenkins Code Coverage API Plugin | |
| CVE-2021-21680 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Nested View Plugin | |
| CVE-2021-21681 | unknown | — | — | 4y ago | Password stored in plain text by Jenkins Nomad Plugin | |
| CVE-2021-3642 | unknown | — | — | 4y ago | Observable Discrepancy in Wildfly Elytron | |
| CVE-2021-33335 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Has Company Administrator Accounts Vulnerable to Takeovers | |
| CVE-2021-33338 | unknown | — | — | 4y ago | Liferay Portal Layout Module and Liferay DXP Exposes the Cross-Site Request Forgery (CSRF) Token in URLs | |
| CVE-2021-33339 | unknown | — | — | 4y ago | Liferay Portal Fragment Module and Liferay DXP Vulnerable to Cross-Site Scripting | |
| CVE-2021-33324 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Don't Check Permissions of Pages | |
| CVE-2021-33325 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Stores User Passwords in Cleartext | |
| CVE-2021-34802 | unknown | — | — | 4y ago | Improper Privilege Management in Neo4j Graph Database | |
| CVE-2021-21675 | unknown | — | — | 4y ago | CSRF vulnerabilities in Jenkins requests-plugin Plugin | |
| CVE-2021-21673 | unknown | — | — | 4y ago | Open redirect vulnerability in Jenkins CAS Plugin | |
| CVE-2021-21669 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins Generic Webhook Trigger Plugin | |
| CVE-2021-21665 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins XebiaLabs XL Deploy Plugin allows capturing credentials | |
| CVE-2021-21663 | unknown | — | — | 4y ago | Missing permission check in Jenkins XebiaLabs XL Deploy Plugin allows capturing credentials | |
| CVE-2021-21659 | unknown | — | — | 4y ago | XXE vulnerability in Jenkins URLTrigger Plugin | |
| CVE-2021-29048 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Vulnerable to Cross-Site Scripting (XSS) in the Layout Admin Page | |
| CVE-2021-29040 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP Reveals Data via Overly Verbose Error Messages | |
| CVE-2021-29041 | unknown | — | — | 4y ago | Liferay DXP Vulnerable to Denial-of-service (DoS) in the Multi-Factor Authentication Module | |
| CVE-2021-21647 | unknown | — | — | 4y ago | Missing permission check in Jenkins CloudBees CD Plugin allows scheduling builds | |
| CVE-2021-21643 | unknown | — | — | 4y ago | Incorrect permission checks in Jenkins Config File Provider Plugin allow enumerating credentials IDs | |
| CVE-2021-21645 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Config File Provider Plugin allow enumerating configuration file IDs | |
| CVE-2021-22513 | unknown | — | — | 4y ago | Missing permission checks in Micro Focus Application Automation Tools Plugin | |
| CVE-2021-21641 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins promoted builds Plugin | |
| CVE-2021-21634 | unknown | — | — | 4y ago | Passwords stored in plain text by Jenkins Jabber (XMPP) notifier and control Plugin | |
| CVE-2021-21637 | unknown | — | — | 4y ago | Missing permission check in Jenkins Team Foundation Server Plugin allow capturing credentials | |
| CVE-2021-21626 | unknown | — | — | 4y ago | Missing permission checks in Jenkins Warnings Next Generation Plugin allow listing workspace contents | |
| CVE-2021-21619 | unknown | — | — | 4y ago | XSS vulnerability in Jenkins Claim Plugin | |
| CVE-2021-21616 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Active Choices Plugin | |
| CVE-2021-21617 | unknown | — | — | 4y ago | CSRF vulnerability in Jenkins Configuration Slicing Plugin | |
| CVE-2021-0341 | unknown | — | — | 4y ago | Square OkHttp can accept the wrong certificate | |
| CVE-2021-21614 | unknown | — | — | 4y ago | Credentials stored in plain text by Jenkins Bumblebee HP ALM Plugin | |
| CVE-2021-23266 | unknown | — | — | 4y ago | Log value insertion in craftercms | |
| CVE-2021-44138 | unknown | — | — | 4y ago | Path Traversal in Caucho Resin | |
| CVE-2021-30180 | unknown | — | — | 4y ago | Code injection in Apache Dubbo | |
| CVE-2021-30179 | unknown | — | — | 4y ago | Deserialization of Untrusted Data in Apache Dubbo | |
| CVE-2021-21655 | unknown | — | — | 4y ago | Cross-Site Request Forgery in Jenkins P4 Plugin | |
| CVE-2021-44667 | unknown | — | — | 4y ago | Cross-site Scripting in Nacos | |
| CVE-2021-38265 | unknown | — | — | 4y ago | Liferay Portal and Liferay DXP vulnerable to cross-site scripting (XSS) | |
| CVE-2021-41193 | unknown | — | — | 4y ago | Use of Externally-Controlled Format String in wire-avs | |
| CVE-2021-46037 | unknown | — | — | 4y ago | Path traversal in MCMS | |
| CVE-2021-44868 | unknown | — | — | 4y ago | SQL injection in MCMS | |
| CVE-2021-44521 | unknown | — | — | 4y ago | Apache Cassandra vulnerable to Code Injection due to unsafe configuration | |
| CVE-2021-46365 | unknown | — | — | 4y ago | Improper Restriction of XML External Entity Reference in Magnolia CMS | |
| CVE-2021-46363 | unknown | — | — | 4y ago | Arbitrary code execution in Magnolia CMS | |
| CVE-2021-41571 | unknown | — | — | 4y ago | Improper Input Validation in Apache Pulsar | |
| CVE-2021-42767 | unknown | — | — | 4y ago | Neo4j Graph Database vulnerable to Path Traversal | |
| CVE-2021-23460 | unknown | — | — | 4y ago | Prototype pollution in min-dash | |
| CVE-2021-46089 | unknown | — | — | 4y ago | SQL Injection in JeecgBoot | |
| CVE-2021-23566 | unknown | — | — | 4y ago | The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated. | |
| CVE-2021-22060 | unknown | — | — | 4y ago | Log entry injection in Spring Framework | |
| CVE-2021-36739 | unknown | — | — | 4y ago | Cross-site Scripting in Apache Pluto | |
| CVE-2021-36774 | unknown | — | — | 4y ago | SQL Injection in Apache Kylin | |
| CVE-2021-38542 | unknown | — | — | 4y ago | Command Injection in Apache James | |
| CVE-2021-23382 | unknown | — | — | 4y ago | The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused … | |
| CVE-2021-21668 | unknown | — | — | 4y ago | Stored XSS vulnerability in Jenkins Scriptler Plugin | |
| CVE-2021-4133 | unknown | — | — | 4y ago | Improper Authorization in Keycloak | |
| CVE-2021-44832 | unknown | — | — | 5y ago | Improper Input Validation and Injection in Apache Log4j2 | |
| CVE-2021-45943 | unknown | — | — | 5y ago | GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment… | |
| CVE-2021-23264 | unknown | — | — | 5y ago | Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search | |
| CVE-2021-23463 | unknown | — | — | 5y ago | Improper Restriction of XML External Entity Reference in com.h2database:h2. | |
| CVE-2021-43821 | unknown | — | — | 5y ago | Files Accessible to External Parties in Opencast |