How severe is CVE-2021-21353?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9 out of 10.

What type of vulnerability is CVE-2021-21353?

This is classified as CWE-74, which is a common weakness in software security.

CVE-2021-21353

CRITICAL Year: 2021

CVSS v3 Score

9.0

Critical

CVSS v2 Score

6.8

Medium

Weakness Type

CWE-74

View all →

Vulnerability Description

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

CVE-2023-22522

CRITICAL

CVSS:9.0(Critical)

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is abl...

CWE-742023

CVE-2023-43656

CRITICAL

CVSS:9.0(Critical)

matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances that have enabled transformation functions (those that have `generic.allowJsTransform...

CWE-742023

CVE-2024-29027

CRITICAL

CVSS:9.0(Critical)

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name ...

CWE-742024

CVE-2024-39604

CRITICAL

CVSS:9.0(Critical)

A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An at...

CWE-742024

CVE-2014-7236

CRITICAL

CVSS:9.1(Critical)

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.

CWE-742014

CVE-2015-7544

CRITICAL

CVSS:9.1(Critical)

redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manager (aka RHEV Manager) before 3.6 allows remote authenticated users with the SuperUser role on any Entity to execute arbitrary comma...

CWE-742015

CVE-2021-21353

Vulnerability Description

Related Vulnerabilities

CVE-2023-22522

CVE-2023-43656

CVE-2024-29027

CVE-2024-39604

CVE-2014-7236

CVE-2015-7544