LiveActive security incident?Get immediate response
CVE archive

December 2021

Browse CVE records published in December 2021, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2052 matching CVEs · Page 3 of 42.

High · CVSS 7.8 · CISA KEV

CVE-2021-1048: In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free.

In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-204573007References: Upstream kernel

Published Dec 15, 2021 · Updated Oct 21, 2025

Medium · CVSS 6.7

CVE-2021-23814: This affects versions of the package unisharp/laravel-filemanager before 2.6.2.

This affects versions of the package unisharp/laravel-filemanager before 2.6.2. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: 1. Install a package with a web Laravel application. 2. Navigate to the Upload window 3. Upload an image file, then capture the request 4. Edit the request contents with a malicious file (webshell) 5. Enter the path of file uploaded on URL - Remote Code Execution **Note:** Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).

Published Dec 17, 2021 · Updated Jun 17, 2025

High · CVSS 8.8

CVE-2021-3187: An issue was discovered in BeyondTrust Privilege Management for Mac before 5.7.

An issue was discovered in BeyondTrust Privilege Management for Mac before 5.7. An authenticated, unprivileged user can elevate privileges by running a malicious script (that executes as root from a temporary directory) during install time. (This applies to macOS before 10.15.5, or Security Update 2020-003 on Mojave and High Sierra, Later versions of macOS are not vulnerable.)

Published Dec 11, 2023 · Updated May 27, 2025

Medium · CVSS 5.4

CVE-2021-25967: CKAN - Stored Cross-Site Scripting (XSS) via SVG File Upload

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the malicious profile picture

Published Dec 1, 2021 · Updated Apr 30, 2025

Medium · CVSS 5.4

CVE-2021-25993: Requarks wiki.js - Stored Cross-Site Scripting (XSS) in markdown editor

In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attacker’s server and will lead to account takeover when accessed by the victim.

Published Dec 29, 2021 · Updated Apr 30, 2025

Medium · CVSS 6.5

CVE-2021-37533: Apache Commons Net's FTP client trusts the host from PASV response by default

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Published Dec 3, 2022 · Updated Apr 24, 2025

Low · CVSS 3.3

CVE-2021-44187: Adobe Bridge SGI File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious SGI file.

Published Dec 7, 2021 · Updated Apr 23, 2025

Low · CVSS 3.3

CVE-2021-44186: Adobe Bridge SGI File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious SGI file.

Published Dec 7, 2021 · Updated Apr 23, 2025

Low · CVSS 3.3

CVE-2021-44185: Adobe Bridge RGB File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Adobe Bridge version 11.1.2 (and earlier) and version 12.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious RGB file.

Published Dec 7, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43026: Adobe Premiere Rush MXF File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious MXF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-40783: Adobe Premiere Rush WAV File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43028: Adobe Premiere Rush M4A File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43029: Adobe Premiere Rush M4A File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious M4A file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43021: Adobe Premiere Rush EXR File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious EXR file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43747: Adobe Premiere Rush WAV File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43022: Adobe Premiere Rush PNG File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious PNG file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43024: Adobe Premiere Rush WAV File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

Medium · CVSS 5.5

CVE-2021-43748: Adobe Premiere Rush NULL Pointer Dereference Local Denial-of-Service

Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-40784: Adobe Premiere Rush WAV File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious WAV file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

Medium · CVSS 5.5

CVE-2021-43749: Adobe Premiere Rush NULL Pointer Dereference Local Denial-of-Service

Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Dec 20, 2021 · Updated Apr 23, 2025

Low · CVSS 3.3

CVE-2021-43030: Adobe Premiere Rush MP4 File Parsing Uninitialized Variable Information Disclosure Vulnerability

Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an uninitialized pointer vulnerability that allows remote attackers to disclose arbitrary data on affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of MP4 files. The issue results from the lack of proper initialization of memory prior to accessing it.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43025: Adobe Premiere Rush SVG File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious SVG file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

High · CVSS 7.8

CVE-2021-43023: Adobe Premiere Rush EPS/TIFF File Memory Corruption Remote Code Execution

Adobe Premiere Rush version 1.5.16 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious EPS/TIFF file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.

Published Dec 20, 2021 · Updated Apr 23, 2025

Medium · CVSS 5.5

CVE-2021-43750: Adobe Premiere Rush NULL Pointer Dereference Local Denial-of-Service

Adobe Premiere Rush versions 1.5.16 (and earlier) are affected by a Null pointer dereference vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published Dec 20, 2021 · Updated Apr 23, 2025

Medium · CVSS 5.5

CVE-2021-43746: Adobe Premiere Rush MP4 File Parsing Uninitialized Variable Information Disclosure Vulnerability

Adobe Premiere Rush versions 1.5.16 (and earlier) allows access to an uninitialized pointer vulnerability that allows remote attackers to disclose sensitive information on affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of MP4 files. The issue results from the lack of proper initialization of memory prior to accessing it.

Published Dec 20, 2021 · Updated Apr 23, 2025

Low · CVSS 3.3

CVE-2021-44699: Adobe Audition MP4 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious MP4 file.

Published Dec 20, 2021 · Updated Apr 23, 2025

Low · CVSS 3.3

CVE-2021-44698: Adobe Audition MP4 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious MP4 file.

Published Dec 20, 2021 · Updated Apr 23, 2025

Low · CVSS 3.3

CVE-2021-44697: Adobe Audition MOV File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Adobe Audition versions 14.4 (and earlier), and 22.0 (and earlier)are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious MOV file.

Published Dec 20, 2021 · Updated Apr 23, 2025

Medium · CVSS 5.4

CVE-2021-38997: IBM API Connect HOST header injection

IBM API Connect V10.0.0.0 through V10.0.5.0, V10.0.1.0 through V10.0.1.7, and V2018.4.1.0 through 2018.4.1.19 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 213212.

Published Dec 1, 2022 · Updated Apr 23, 2025