LiveActive security incident?Get immediate response
CVE archive

August 2021

Browse CVE records published in August 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2044 matching CVEs · Page 2 of 41.

Medium · CVSS 4.2

CVE-2021-32050: Some MongoDB Drivers may publish events containing authentication-related data to a command listener configured by an application

Some MongoDB Drivers may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when specific authentication-related commands are executed. Without due care, an application may inadvertently expose this sensitive information, e.g., by writing it to a log file. This issue only arises if an application enables the command listener feature (this is not enabled by default). This issue affects the MongoDB C Driver 1.0.0 prior to 1.17.7, MongoDB PHP Driver 1.0.0 prior to 1.9.2, MongoDB Swift Driver 1.0.0 prior to 1.1.1, MongoDB Node.js Driver 3.6 prior to 3.6.10, MongoDB Node.js Driver 4.0 prior to 4.17.0 and MongoDB Node.js Driver 5.0 prior to 5.8.0. This issue also affects users of the MongoDB C++ Driver dependent on the C driver 1.0.0 prior to 1.17.7 (C++ driver prior to 3.7.0).

Published Aug 29, 2023 · Updated Nov 3, 2025

Unknown · CVSS Not scored

CVE-2021-3979: A key length flaw was found in Red Hat Ceph Storage.

A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks.

Published Aug 25, 2022 · Updated Nov 3, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2021-35395: Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface...

Realtek Jungle SDK version v2.x up to v3.4.14B provides an HTTP web server exposing a management interface that can be used to configure the access point. Two versions of this management interface exists: one based on Go-Ahead named webs and another based on Boa named boa. Both of them are affected by these vulnerabilities. Specifically, these binaries are vulnerable to the following issues: - stack buffer overflow in formRebootCheck due to unsafe copy of submit-url parameter - stack buffer overflow in formWsc due to unsafe copy of submit-url parameter - stack buffer overflow in formWlanMultipleAP due to unsafe copy of submit-url parameter - stack buffer overflow in formWlSiteSurvey due to unsafe copy of ifname parameter - stack buffer overflow in formStaticDHCP due to unsafe copy of hostname parameter - stack buffer overflow in formWsc due to unsafe copy of 'peerPin' parameter - arbitrary command execution in formSysCmd via the sysCmd parameter - arbitrary command injection in formWsc via the 'peerPin' parameter Exploitability of identified issues will differ based on what the end vendor/manufacturer did with the Realtek SDK webserver. Some vendors use it as-is, others add their own authentication implementation, some kept all the features from the server, some remove some of them, some inserted their own set of features. However, given that Realtek SDK implementation is full of insecure calls and that developers tends to re-use those examples in their custom code, any binary based on Realtek SDK webserver will probably contains its own set of issues on top of the Realtek ones (if kept). Successful exploitation of these issues allows remote attackers to gain arbitrary code execution on the device.

Published Aug 16, 2021 · Updated Oct 21, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2021-35394: Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usuall...

Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called 'MP Daemon' that is usually compiled as 'UDPServer' binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.

Published Aug 16, 2021 · Updated Oct 21, 2025

High · CVSS 8.5 · CISA KEV

CVE-2021-39144: XStream is vulnerable to a Remote Command Execution attack

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Published Aug 23, 2021 · Updated Oct 21, 2025

High · CVSS 8.8 · CISA KEV

CVE-2021-30858: A use after free issue was addressed with improved memory management.

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Published Aug 24, 2021 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2021-30860: An integer overflow was addressed with improved input validation.

An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Published Aug 24, 2021 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2021-30869: A type confusion issue was addressed with improved state handling.

A type confusion issue was addressed with improved state handling. This issue is fixed in iOS 12.5.5, iOS 14.4 and iPadOS 14.4, macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, Security Update 2021-006 Catalina. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild.

Published Aug 24, 2021 · Updated Oct 21, 2025

High · CVSS 7.8 · CISA KEV

CVE-2021-30883: A memory corruption issue was addressed with improved memory handling.

A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 15.0.2 and iPadOS 15.0.2, macOS Monterey 12.0.1, iOS 14.8.1 and iPadOS 14.8.1, tvOS 15.1, watchOS 8.1, macOS Big Sur 11.6.1. An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..

Published Aug 24, 2021 · Updated Oct 21, 2025

High · CVSS 7.5 · CISA KEV

CVE-2021-31010: A deserialization issue was addressed through improved validation.

A deserialization issue was addressed through improved validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 12.5.5, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. A sandboxed process may be able to circumvent sandbox restrictions. Apple was aware of a report that this issue may have been actively exploited at the time of release..

Published Aug 24, 2021 · Updated Oct 21, 2025

High · CVSS 8.2 · CISA KEV

CVE-2021-32648: Account Takeover in Octobercms

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

Published Aug 26, 2021 · Updated Oct 21, 2025

Medium · CVSS 5.3

CVE-2021-46304: A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions), CP-8000 MAS...

A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O -25/+70°C (All versions), CP-8000 MASTER MODULE WITH I/O -40/+70°C (All versions), CP-8021 MASTER MODULE (All versions), CP-8022 MASTER MODULE WITH GPRS (All versions). The component allows to activate a web server module which provides unauthenticated access to its web pages. This could allow an attacker to retrieve debug-level information from the component such as internal network topology or connected systems.

Published Aug 10, 2022 · Updated Oct 20, 2025

Medium · CVSS 4.2

CVE-2021-37150: Protocol vs scheme mismatch

Improper Input Validation vulnerability in header parsing of Apache Traffic Server allows an attacker to request secure resources. This issue affects Apache Traffic Server 8.0.0 to 9.1.2.

Published Aug 10, 2022 · Updated Sep 8, 2025

Critical · CVSS 9

CVE-2021-22156: An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of...

An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.

Published Aug 17, 2021 · Updated Aug 22, 2025

Low · CVSS 3.7

CVE-2021-22924: libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of...

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Published Aug 5, 2021 · Updated Jun 9, 2025

High · CVSS 7.5

CVE-2021-3998: A flaw was found in glibc.

A flaw was found in glibc. The realpath() function can mistakenly return an unexpected value, potentially leading to information leakage and disclosure of sensitive data.

Published Aug 24, 2022 · Updated Jun 9, 2025

Critical · CVSS 9.9

CVE-2021-32016: An issue was discovered in JUMP AMS 3.6.0.04.009-2487.

An issue was discovered in JUMP AMS 3.6.0.04.009-2487. A JUMP SOAP endpoint permitted the writing of arbitrary files to a user-controlled location on the remote filesystem (with user-controlled content) via directory traversal, potentially leading to remote code and command execution.

Published Aug 3, 2021 · Updated May 30, 2025

Critical · CVSS 9.9

CVE-2021-32017: An issue was discovered in JUMP AMS 3.6.0.04.009-2487.

An issue was discovered in JUMP AMS 3.6.0.04.009-2487. A JUMP SOAP endpoint permitted the listing of the content of the remote file system. This can be used to identify the complete server filesystem structure, i.e., identifying all the directories and files.

Published Aug 3, 2021 · Updated May 30, 2025

Medium · CVSS 6.1

CVE-2021-34661: WP Fusion Lite <= 3.37.18 Cross-Site Request Forgery to Data Deletion

The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.

Published Aug 9, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34660: WP Fusion Lite <= 3.37.18 Reflected Cross-Site Scripting

The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18.

Published Aug 9, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34640: Securimage-WP-Fixed <= 3.5.4 Reflected Cross-Site Scripting

The Securimage-WP-Fixed WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/securimage-wp.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.4.

Published Aug 11, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34655: WP Songbook <= 2.0.11 Reflected Cross-Site Scripting

The WP Songbook WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the url parameter found in the ~/inc/class.ajax.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.11.

Published Aug 16, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34658: Simple Popup Newsletter <= 1.4.7 Reflected Cross-Site Scripting

The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7.

Published Aug 16, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34663: jQuery Tagline Rotator <= 0.1.5 Reflected Cross-Site Scripting

The jQuery Tagline Rotator WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/jquery-tagline-rotator.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.1.5.

Published Aug 16, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34664: Moova for WooCommerce <= 3.5 Reflected Cross-Site Scripting

The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.

Published Aug 16, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34665: WP SEO Tags <= 2.2.7 Reflected Cross-Site Scripting

The WP SEO Tags WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the saq_txt_the_filter parameter in the ~/wp-seo-tags.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.2.7.

Published Aug 16, 2021 · Updated May 23, 2025

Medium · CVSS 6.1

CVE-2021-34643: Skaut bazar <= 1.3.2 Reflected Cross-Site Scripting

The Skaut bazar WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/skaut-bazar.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.3.2.

Published Aug 16, 2021 · Updated May 5, 2025

Medium · CVSS 6.1

CVE-2021-34644: Multiplayer Games <= 3.7 Reflected Cross-Site Scripting

The Multiplayer Games WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/multiplayergames.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.7.

Published Aug 16, 2021 · Updated May 5, 2025

Medium · CVSS 6.1

CVE-2021-34652: Media Usage <= 0.0.4 Reflected Cross-Site Scripting

The Media Usage WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter in the ~/mmu_admin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.4.

Published Aug 16, 2021 · Updated May 5, 2025

Medium · CVSS 6.1

CVE-2021-34649: Simple Behance Portfolio <= 0.2 Reflected Cross-Site Scripting

The Simple Behance Portfolio WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `dark` parameter in the ~/titan-framework/iframe-font-preview.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.2.

Published Aug 16, 2021 · Updated May 5, 2025

Medium · CVSS 6.1

CVE-2021-34653: WP Fountain <= 1.5.9 Reflected Cross-Site Scripting

The WP Fountain WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/wp-fountain.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.9.

Published Aug 16, 2021 · Updated May 5, 2025