CVEs from 2021
Total
5,210
critical
critical 273
high
high 975
medium
medium 1,141
low
low 135
% Critical
5.2%
% with KEV
4.1%
% with exploit
4.1%
Top products
- office 13
- 365_apps 6
- office_long_term_servicing_channel 6
- library_automation_system 5
- single_connect 4
- http_server 3
- solidfire 2
- student_information_management_system 2
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2021-3156 | critical | — | 10.0 | 4y ago | Sudo contains an off-by-one error that can result in a heap-based buffer overflow, which allows for privilege escalation. | |
| CVE-2021-4102 | critical | — | 10.0 | 5y ago | Google Chromium V8 Engine contains a use-after-free vulnerability that allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multipl… | |
| CVE-2021-44228 | critical | — | 10.0 | 5y ago | Remote code injection in Log4j | |
| CVE-2021-42013 | critical | — | 10.0 | 5y ago | Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured by Alias-like directives are not under defa… | |
| CVE-2021-30551 | critical | — | 10.0 | 5y ago | multiple issues in chromium | |
| CVE-2021-22205 | critical | — | 10.0 | 5y ago | GitHub Community and Enterprise Editions that utilize the ability to upload images through GitLab Workhorse are vulnerable to remote code execution. Workhorse passes image file extensions through Exi… | |
| CVE-2021-21148 | critical | — | 10.0 | 5y ago | multiple issues in chromium | |
| CVE-2021-47952 | critical | 9.8 | 9.8 | 12d ago | python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. … | |
| CVE-2021-47965 | critical | 9.8 | 9.8 | 13d ago | WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation.… | |
| CVE-2021-47940 | critical | 9.8 | 9.8 | 18d ago | WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fi… | |
| CVE-2021-47936 | critical | 9.8 | 9.8 | 18d ago | OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Att… | |
| CVE-2021-47933 | critical | 9.8 | 9.8 | 18d ago | WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by sending POST requests to the REST API endpoint. Attackers… | |
| CVE-2021-47932 | critical | 9.8 | 9.8 | 18d ago | WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler… | |
| CVE-2021-47923 | critical | 9.8 | 9.8 | 18d ago | OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie. Attackers can set malicious OCSESSID c… | |
| CVE-2021-3854 | critical | 9.8 | 9.8 | 3y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before … | |
| CVE-2021-4105 | critical | 9.8 | 9.8 | 3y ago | Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion. This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727. | |
| CVE-2021-3825 | critical | 9.6 | 9.6 | 5y ago | On 2.1.15 version and below of Lider module in LiderAhenk software is leaking it's configurations via an unsecured API. An attacker with an access to the configurations API could get valid LDAP crede… | |
| CVE-2021-28683 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21137 | critical | — | 9.5 | — | Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page. | |
| CVE-2021-21140 | critical | — | 9.5 | — | Uninitialized use in USB in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform out of bounds memory access via via a USB device. | |
| CVE-2021-4099 | critical | — | 9.5 | — | Use after free in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21141 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass file extension policy via a crafted HTML page. | |
| CVE-2021-22197 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22192 | critical | — | 9.5 | — | arbitrary code execution in gitlab | |
| CVE-2021-22202 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-4098 | critical | — | 9.5 | — | Insufficient data validation in Mojo in Google Chrome prior to 96.0.4664.110 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted H… | |
| CVE-2021-22196 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-34824 | critical | — | 9.5 | — | information disclosure in istio | |
| CVE-2021-4101 | critical | — | 9.5 | — | Heap buffer overflow in Swiftshader in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22198 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22201 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-26676 | critical | — | 9.5 | — | gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp. | |
| CVE-2021-3345 | critical | — | 9.5 | — | _gcry_md_block_write in cipher/hash-common.c in Libgcrypt version 1.9.0 has a heap-based buffer overflow when the digest final function sets a large count value. It is recommended to upgrade to 1.9.1… | |
| CVE-2021-29258 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-22203 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-31864 | critical | — | 9.5 | — | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. | |
| CVE-2021-4100 | critical | — | 9.5 | — | Object lifecycle issue in ANGLE in Google Chrome prior to 96.0.4664.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-22199 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-22200 | critical | — | 9.5 | — | multiple issues in gitlab | |
| CVE-2021-31921 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21132 | critical | — | 9.5 | — | Inappropriate implementation in DevTools in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted Chrome Extension. | |
| CVE-2021-30163 | critical | — | 9.5 | — | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. | |
| CVE-2021-31863 | critical | — | 9.5 | — | Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows Redmine users to read arbitrary local files accessible by th… | |
| CVE-2021-21139 | critical | — | 9.5 | — | Inappropriate implementation in iframe sandbox in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. | |
| CVE-2021-31865 | critical | — | 9.5 | — | Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. | |
| CVE-2021-21120 | critical | — | 9.5 | — | Use after free in WebSQL in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-29953 | critical | — | 9.5 | — | A malicious webpage could have forced a Firefox for Android user into executing attacker-controlled JavaScript in the context of another domain, resulting in a Universal Cross-Site Scripting vulnerab… | |
| CVE-2021-30164 | critical | — | 9.5 | — | Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. | |
| CVE-2021-21127 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass content security policy via a crafted Chrome Extension. | |
| CVE-2021-26675 | critical | — | 9.5 | — | A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code. | |
| CVE-2021-21128 | critical | — | 9.5 | — | Heap buffer overflow in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30547 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21124 | critical | — | 9.5 | — | Potential user after free in Speech Recognizer in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-30549 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21143 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21138 | critical | — | 9.5 | — | Use after free in DevTools in Google Chrome prior to 88.0.4324.96 allowed a local attacker to potentially perform a sandbox escape via a crafted file. | |
| CVE-2021-21126 | critical | — | 9.5 | — | Insufficient policy enforcement in extensions in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. | |
| CVE-2021-21147 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-29274 | critical | — | 9.5 | — | Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. | |
| CVE-2021-21117 | critical | — | 9.5 | — | Insufficient policy enforcement in Cryptohome in Google Chrome prior to 88.0.4324.96 allowed a local attacker to perform OS-level privilege escalation via a crafted file. | |
| CVE-2021-21146 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-31920 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-28682 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21123 | critical | — | 9.5 | — | Insufficient data validation in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-30548 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30552 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21125 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome on Windows prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21145 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30546 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30550 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21144 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21119 | critical | — | 9.5 | — | Use after free in Media in Google Chrome prior to 88.0.4324.96 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-21134 | critical | — | 9.5 | — | Incorrect security UI in Page Info in Google Chrome on iOS prior to 88.0.4324.96 allowed a remote attacker to spoof security UI via a crafted HTML page. | |
| CVE-2021-21118 | critical | — | 9.5 | — | Insufficient data validation in V8 in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. | |
| CVE-2021-29492 | critical | — | 9.5 | — | multiple issues in istio | |
| CVE-2021-21142 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21122 | critical | — | 9.5 | — | Use after free in Blink in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | |
| CVE-2021-30553 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21133 | critical | — | 9.5 | — | Insufficient policy enforcement in Downloads in Google Chrome prior to 88.0.4324.96 allowed an attacker who convinced a user to download files to bypass navigation restrictions via a crafted HTML pag… | |
| CVE-2021-21136 | critical | — | 9.5 | — | Insufficient policy enforcement in WebView in Google Chrome on Android prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2021-21135 | critical | — | 9.5 | — | Inappropriate implementation in Performance API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | |
| CVE-2021-21130 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-21129 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-31866 | critical | — | 9.5 | — | Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController… | |
| CVE-2021-21121 | critical | — | 9.5 | — | Use after free in Omnibox in Google Chrome on Linux prior to 88.0.4324.96 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. | |
| CVE-2021-30545 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-30544 | critical | — | 9.5 | — | multiple issues in chromium | |
| CVE-2021-21131 | critical | — | 9.5 | — | Insufficient policy enforcement in File System API in Google Chrome prior to 88.0.4324.96 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. | |
| CVE-2021-39935 | high | — | 9.5 | 4mo ago | GitLab Community and Enterprise Editions contain a server-side request forgery vulnerability which could allow unauthorized external users to perform Server Side Requests via the CI Lint API. | |
| CVE-2021-22555 | high | — | 9.5 | 8mo ago | A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through… | |
| CVE-2021-43798 | high | — | 9.5 | 2y ago | Grafana contains a path traversal vulnerability that could allow access to local files. | |
| CVE-2021-3560 | high | — | 9.5 | 3y ago | Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation. | |
| CVE-2021-4034 | high | — | 9.5 | 4y ago | Important: polkit security update | |
| CVE-2021-30533 | high | — | 9.5 | 4y ago | multiple issues in chromium | |
| CVE-2021-21686 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21689 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21694 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21691 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21692 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins | |
| CVE-2021-21688 | critical | — | 9.5 | 4y ago | Multiple vulnerabilities allow bypassing path filtering of agent-to-controller access control in Jenkins |