CVEs from 2021
Total
6,258
critical
critical 272
high
high 976
medium
medium 1,141
low
low 135
% Critical
4.3%
% with KEV
3.4%
% with exploit
3.4%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-30952 | medium | — | 7.0 | 3mo ago | Moderate: webkit2gtk3 security, bug fix, and enhancement update | |
| CVE-2021-1789 | medium | — | 7.0 | 4y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-22204 | medium | — | 7.0 | 5y ago | Improper neutralization of user data in the DjVu file format in Exiftool versions 7.44 and up allows arbitrary code execution when parsing the malicious image | |
| CVE-2021-30762 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30666 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-1871 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30858 | medium | — | 7.0 | 5y ago | Apple iOS, iPadOS, and macOS WebKit contain a use-after-free vulnerability that leads to code execution when processing maliciously crafted web content. This vulnerability could impact HTML parsers t… | |
| CVE-2021-30663 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30665 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30661 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-1870 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-30761 | medium | — | 7.0 | 5y ago | Moderate: GNOME security, bug fix, and enhancement update | |
| CVE-2021-21508 | medium | 6.7 | 6.7 | 5d ago | Dell VxRail versions before 7.0.200 contain a Plain-text Password Storage Vulnerability in VxRail Manager. A sys-admin user may exploit this vulnerability, leading to the disclosure of certain user c… | |
| CVE-2021-36438 | medium | 6.5 | 6.5 | 1mo ago | SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. | |
| CVE-2021-45478 | medium | 6.5 | 6.5 | 3y ago | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: bef… | |
| CVE-2021-45477 | medium | 6.5 | 6.5 | 3y ago | Improper Handling of Parameters vulnerability in Bordam Information Technologies Library Automation System allows Collect Data as Provided by Users. This issue affects Library Automation System: bef… | |
| CVE-2021-42293 | medium | 6.5 | 6.5 | 5y ago | Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability | |
| CVE-2021-21735 | medium | 6.5 | 6.5 | 5y ago | A ZTE product has an information leak vulnerability. Due to improper permission settings, an attacker with ordinary user permissions could exploit this vulnerability to obtain some sensitive user inf… | |
| CVE-2021-47957 | medium | 6.4 | 6.4 | 11d ago | Cookie Law Bar 1.2.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unsanitized input to the Bar Message field. Att… | |
| CVE-2021-47968 | medium | 6.4 | 6.4 | 12d ago | Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description p… | |
| CVE-2021-47962 | medium | 6.4 | 6.4 | 12d ago | Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers… | |
| CVE-2021-47951 | medium | 6.4 | 6.4 | 17d ago | WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access C… | |
| CVE-2021-47950 | medium | 6.4 | 6.4 | 17d ago | Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulati… | |
| CVE-2021-47947 | medium | 6.4 | 6.4 | 17d ago | Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edi… | |
| CVE-2021-47931 | medium | 6.4 | 6.4 | 17d ago | Exponent CMS 2.6 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Title and Text Block parameters in the text editing e… | |
| CVE-2021-47929 | medium | 6.4 | 6.4 | 17d ago | Filterable Portfolio Gallery 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by entering payloads in the title field. Attac… | |
| CVE-2021-47927 | medium | 6.4 | 6.4 | 17d ago | WordPress Plugin WP Symposium Pro 2021.10 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting insufficient sanitization … | |
| CVE-2021-47926 | medium | 6.4 | 6.4 | 17d ago | Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name f… | |
| CVE-2021-47925 | medium | 6.4 | 6.4 | 17d ago | CMDBuild 3.3.2 contains multiple stored cross-site scripting vulnerabilities that allow authenticated attackers to inject arbitrary web script or HTML via crafted input in card creation and file uplo… | |
| CVE-2021-47924 | medium | 6.4 | 6.4 | 17d ago | Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit P… | |
| CVE-2021-47922 | medium | 6.4 | 6.4 | 17d ago | Slider by Soliloquy 2.6.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the title parameter. Attackers can add JavaScrip… | |
| CVE-2021-47910 | medium | 6.4 | 6.4 | 17d ago | AccessPress Social Icons 1.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering JavaScript payloads into the 'icon titl… | |
| CVE-2021-47907 | medium | 6.4 | 6.4 | 17d ago | Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Attac… | |
| CVE-2021-47978 | medium | 6.2 | 6.2 | 11d ago | ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send req… | |
| CVE-2021-47967 | medium | 6.1 | 6.1 | 12d ago | PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters. Attackers … | |
| CVE-2021-47836 | medium | 6.1 | 6.1 | 4mo ago | Markdown Explorer 0.1.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through file uploads and editor inputs. Attackers can upload markdown files with e… | |
| CVE-2021-4195 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Firmanet Software and Technology Customer Relation Manager allows XSS Targeting HTML Attributes. … | |
| CVE-2021-44197 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Informa… | |
| CVE-2021-44196 | medium | 6.1 | 6.1 | 3y ago | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in UBIT Information Technologies Student Information Management System. This issue affects Student Informa… | |
| CVE-2021-24119 | medium | — | 5.5 | — | In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlle… | |
| CVE-2021-28877 | medium | — | 5.5 | — | In the standard library in Rust before 1.51.0, the Zip implementation calls __iterator_get_unchecked() for the same index more than once when nested. This bug can lead to a memory safety violation du… | |
| CVE-2021-29474 | medium | — | 5.5 | — | information disclosure in hedgedoc | |
| CVE-2021-21857 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |
| CVE-2021-31255 | medium | — | 5.5 | — | Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |
| CVE-2021-30015 | medium | — | 5.5 | — | There is a Null Pointer Dereference in function filter_core/filter_pck.c:gf_filter_pck_new_alloc_internal in GPAC 1.0.1. The pid comes from function av1dmx_parse_flush_sample, the ctx.opid maybe NULL… | |
| CVE-2021-3514 | medium | — | 5.5 | — | Moderate: 389-ds:1.4 security and bug fix update | |
| CVE-2021-32491 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow in function render() in tools/ddjvu via crafted djvu file may lead to application crash and other consequences. | |
| CVE-2021-32438 | medium | — | 5.5 | — | The gf_media_export_filters function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |
| CVE-2021-3500 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences. | |
| CVE-2021-30014 | medium | — | 5.5 | — | There is a integer overflow in media_tools/av_parsers.c in the hevc_parse_slice_segment function in GPAC from v0.9.0-preview to 1.0.1 which results in a crash. | |
| CVE-2021-25321 | medium | — | 5.5 | — | privilege escalation in arpwatch | |
| CVE-2021-30123 | medium | — | 5.5 | — | FFmpeg <=4.3 contains a buffer overflow vulnerability in libavcodec through a crafted file that may lead to remote code execution. | |
| CVE-2021-32493 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overflow in function DJVU::GBitmap::decode() via crafted djvu file may lead to application crash and other consequences. | |
| CVE-2021-27021 | medium | — | 5.5 | — | A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tables via an SQL query. | |
| CVE-2021-21845 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input in “stsc”… | |
| CVE-2021-20272 | medium | — | 5.5 | — | A flaw was found in privoxy before 3.0.32. An assertion failure could be triggered with a crafted CGI request leading to server crash. | |
| CVE-2021-37232 | medium | — | 5.5 | — | A stack overflow vulnerability occurs in Atomicparsley 20210124.204813.840499f through APar_read64() in src/util.cpp due to the lack of buffer size of uint32_buffer while reading more bytes in APar_r… | |
| CVE-2021-22923 | medium | — | 5.5 | — | Moderate: curl security update | |
| CVE-2021-20273 | medium | — | 5.5 | — | A flaw was found in privoxy before 3.0.32. A crash can occur via a crafted CGI request if Privoxy is toggled off. | |
| CVE-2021-22924 | medium | — | 5.5 | — | Moderate: curl security update | |
| CVE-2021-31615 | medium | — | 5.5 | — | multiple issues in linux | |
| CVE-2021-30499 | medium | — | 5.5 | — | A flaw was found in libcaca. A buffer overflow of export.c in function export_troff might lead to memory corruption and other potential consequences. | |
| CVE-2021-31260 | medium | — | 5.5 | — | The MergeTrack function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |
| CVE-2021-3755 | medium | — | 5.5 | — | arbitrary command execution in rsync | |
| CVE-2021-32269 | medium | — | 5.5 | — | An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function ilst_item_box_dump located in box_dump.c. It allows an attacker to cause Denial of Service. | |
| CVE-2021-36370 | medium | — | 5.5 | — | An issue was discovered in Midnight Commander through 4.8.26. When establishing an SFTP connection, the fingerprint of the server is neither checked nor displayed. As a result, a user connects to the… | |
| CVE-2021-37220 | medium | — | 5.5 | — | MuPDF through 1.18.1 has an out-of-bounds write because the cached color converter does not properly consider the maximum key size of a hash table. This can, for example, be seen with crafted "mutool… | |
| CVE-2021-30474 | medium | — | 5.5 | — | multiple issues in aom | |
| CVE-2021-26825 | medium | — | 5.5 | — | An integer overflow issue exists in Godot Engine up to v3.2 that can be triggered when loading specially crafted.TGA image files. The vulnerability exists in ImageLoaderTGA::load_image() function at … | |
| CVE-2021-41581 | medium | — | 5.5 | — | information disclosure in libressl | |
| CVE-2021-38204 | medium | — | 5.5 | — | drivers/usb/host/max3421-hcd.c in the Linux kernel before 5.13.6 allows physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in cer… | |
| CVE-2021-3349 | medium | — | 5.5 | — | GNOME Evolution through 3.38.3 produces a "Valid signature" message for an unknown identifier on a previously trusted key because Evolution does not retrieve enough information from the GnuPG API. NO… | |
| CVE-2021-29923 | medium | — | 5.5 | — | Moderate: go-toolset:rhel8 security update | |
| CVE-2021-38382 | medium | — | 5.5 | — | multiple issues in live-media | |
| CVE-2021-34340 | medium | — | 5.5 | — | multiple issues in ming | |
| CVE-2021-29279 | medium | — | 5.5 | — | There is a integer overflow in function filter_core/filter_props.c:gf_props_assign_value in GPAC 1.0.1. In which, the arg const GF_PropertyValue *value,maybe value->value.data.size is a negative numb… | |
| CVE-2021-35197 | medium | — | 5.5 | — | In MediaWiki before 1.31.15, 1.32.x through 1.35.x before 1.35.3, and 1.36.x before 1.36.1, bots have certain unintended API access. When a bot account has a "sitewide block" applied, it is able to s… | |
| CVE-2021-22946 | medium | — | 5.5 | — | Moderate: curl security update | |
| CVE-2021-30157 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-fi… | |
| CVE-2021-30155 | medium | — | 5.5 | — | An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of… | |
| CVE-2021-31162 | medium | — | 5.5 | — | In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the element panics. | |
| CVE-2021-32139 | medium | — | 5.5 | — | The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. | |
| CVE-2021-32137 | medium | — | 5.5 | — | Heap buffer overflow in the URL_GetProtocolType function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file. | |
| CVE-2021-22567 | medium | — | 5.5 | — | multiple issues in dart | |
| CVE-2021-20241 | medium | — | 5.5 | — | A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The hig… | |
| CVE-2021-37631 | medium | — | 5.5 | — | information disclosure in nextcloud-app-deck | |
| CVE-2021-29951 | medium | — | 5.5 | — | The Mozilla Maintenance Service granted SERVICE_START access to BUILTIN|Users which, in a domain network, grants normal remote users access to start or stop the service. This could be used to prevent… | |
| CVE-2021-28302 | medium | — | 5.5 | — | A stack overflow in pupnp before version 1.14.5 can cause the denial of service through the Parser_parseDocument() function. ixmlNode_free() will release a child node recursively, which will consume … | |
| CVE-2021-20243 | medium | — | 5.5 | — | A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. … | |
| CVE-2021-40145 | medium | — | 5.5 | — | gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor's position is "The GD2 image format is a proprietary image format of libgd. It has t… | |
| CVE-2021-20229 | medium | — | 5.5 | — | A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat … | |
| CVE-2021-21843 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |
| CVE-2021-32490 | medium | — | 5.5 | — | A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds write in function DJVU::filter_bv() via crafted djvu file may lead to application crash and other consequences. | |
| CVE-2021-3024 | medium | — | 5.5 | — | information disclosure in vault | |
| CVE-2021-29945 | medium | — | 5.5 | — | The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffect… | |
| CVE-2021-3657 | medium | — | 5.5 | — | A flaw was found in mbsync versions prior to 1.4.4. Due to inadequate handling of extremely large (>=2GiB) IMAP literals, malicious or compromised IMAP servers, and hypothetically even external email… | |
| CVE-2021-3418 | medium | — | 5.5 | — | If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboo… | |
| CVE-2021-21837 | medium | — | 5.5 | — | Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause… | |
| CVE-2021-44541 | medium | — | 5.5 | — | A vulnerability was found in Privoxy which was fixed in process_encrypted_request_headers() by freeing header memory when failing to get the request destination. | |
| CVE-2021-32440 | medium | — | 5.5 | — | The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command. |