CVEs from 2021
Total
6,087
critical
critical 273
high
high 975
medium
medium 1,141
low
low 135
% Critical
4.5%
% with KEV
3.5%
% with exploit
3.5%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-3156 | critical | — | 10.0 | 4y ago | Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation. | |
| CVE-2021-4102 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-44228 | critical | — | 10.0 | 5y ago | Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution. | |
| CVE-2021-30551 | critical | — | 10.0 | 5y ago | multiple issues in chromium | |
| CVE-2021-42013 | critical | — | 10.0 | 5y ago | Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under defa… | |
| CVE-2021-21148 | critical | — | 10.0 | 5y ago | multiple issues in chromium | |
| CVE-2021-22205 | critical | — | 10.0 | 5y ago | GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through Exi… | |
| CVE-2021-47952 | critical | 9.8 | 9.8 | 12d ago | python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. … | |
| CVE-2021-47965 | critical | 9.8 | 9.8 | 13d ago | WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation.… | |
| CVE-2021-47940 | critical | 9.8 | 9.8 | 18d ago | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fi… | |
| CVE-2021-47936 | critical | 9.8 | 9.8 | 18d ago | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Att… | |
| CVE-2021-47933 | critical | 9.8 | 9.8 | 18d ago | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers… | |
| CVE-2021-47932 | critical | 9.8 | 9.8 | 18d ago | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler… | |
| CVE-2021-47923 | critical | 9.8 | 9.8 | 18d ago | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID c… | |
| CVE-2021-3854 | critical | 9.8 | 9.8 | 3y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before … | |
| CVE-2021-4105 | critical | 9.8 | 9.8 | 3y ago | Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion. This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727. | |
| CVE-2021-3825 | critical | 9.6 | 9.6 | 5y ago | On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP crede… | |
| CVE-2021-21134 | critical | — | 9.5 | — | Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page. | |
| CVE-2021-21133 | critical | — | 9.5 | — | Insufficient policy enforcement in Downloads in Google Chrome prior to 88.0.4324.96 allowed an attacker who convinced a user to download files to bypass navigation restrictions via a crafted HTML pag… | |
| CVE-2021-21119 | critical | — | 9.5 | — | Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21140 | critical | — | 9.5 | — | Uninitialized use in USB in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform out of bounds memory access via via a USB device. | |
| CVE-2021-31921 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-34824 | critical | — | 9.5 | — | information disclosure in istio | |
| CVE-2021-22199 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-30163 | critical | — | 9.5 | — | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. | |
| CVE-2021-4100 | critical | — | 9.5 | — | Object lifecycle issue in ANGLE in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22201 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22200 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22202 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-4098 | critical | — | 9.5 | — | Insufficient data validation in Mojo in Google Chrome prior to 96.0.4664.110 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted H… | |
| CVE-2021-31866 | critical | — | 9.5 | — | Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController… | |
| CVE-2021-30548 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-29953 | critical | — | 9.5 | — | A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerab… | |
| CVE-2021-21131 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21126 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. | |
| CVE-2021-22197 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22192 | critical | — | 9.5 | — | arbitrary code execution in gitlab | |
| CVE-2021-30550 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21122 | critical | — | 9.5 | — | Use after free in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21125 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21123 | critical | — | 9.5 | — | Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21117 | critical | — | 9.5 | — | Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file. | |
| CVE-2021-21139 | critical | — | 9.5 | — | Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |
| CVE-2021-21120 | critical | — | 9.5 | — | Use after free in WebSQL in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21130 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21135 | critical | — | 9.5 | — | Inappropriate implementation in Performance API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2021-21127 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass content security policy via a crafted Chrome Extension. | |
| CVE-2021-21136 | critical | — | 9.5 | — | Insufficient policy enforcement in WebView in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2021-21141 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass file extension policy via a crafted HTML page. | |
| CVE-2021-4099 | critical | — | 9.5 | — | Use after free in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30553 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-31863 | critical | — | 9.5 | — | Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by th… | |
| CVE-2021-21132 | critical | — | 9.5 | — | Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension. | |
| CVE-2021-31865 | critical | — | 9.5 | — | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. | |
| CVE-2021-28683 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-30164 | critical | — | 9.5 | — | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. | |
| CVE-2021-29258 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-3345 | critical | — | 9.5 | — | _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1… | |
| CVE-2021-29274 | critical | — | 9.5 | — | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. | |
| CVE-2021-31864 | critical | — | 9.5 | — | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. | |
| CVE-2021-22196 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21137 | critical | — | 9.5 | — | Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page. | |
| CVE-2021-22198 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21143 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-4101 | critical | — | 9.5 | — | Heap buffer overflow in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21138 | critical | — | 9.5 | — | Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file. | |
| CVE-2021-30544 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21144 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30546 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30545 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21142 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-22203 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-21146 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30552 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21128 | critical | — | 9.5 | — | Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-26675 | critical | — | 9.5 | — | A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code. | |
| CVE-2021-21124 | critical | — | 9.5 | — | Potential user after free in Speech Recognizer in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-28682 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21145 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30549 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21129 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21121 | critical | — | 9.5 | — | Use after free in Omnibox in Google Chrome on Linux prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-21118 | critical | — | 9.5 | — | Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |
| CVE-2021-21147 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-29492 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-31920 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-26676 | critical | — | 9.5 | — | gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp. | |
| CVE-2021-30547 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-39935 | high | — | 9.5 | 4mo ago | GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. | |
| CVE-2021-22555 | high | — | 9.5 | 8mo ago | Important: kernel security, bug fix, and enhancement update | |
| CVE-2021-43798 | high | — | 9.5 | 2y ago | Grafana contains a path traversal vulnerability that could allow access to local files. | |
| CVE-2021-3560 | high | — | 9.5 | 3y ago | Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. | |
| CVE-2021-4034 | high | — | 9.5 | 4y ago | Important: polkit security update | |
| CVE-2021-30533 | high | — | 9.5 | 4y ago | multiple issues in chromium | |
| CVE-2021-21686 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21693 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21690 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21688 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21694 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21685 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins |