Current Conditions
São Paulo
nublado

20 ℃
84%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 07:00:01
  1. [USD] USD 95,236.63
  1. [BRL] BRL 511,344.88 [USD] USD 95,236.63 [GBP] GBP 71,149.09 [EUR] EUR 82,056.26
    Price index provided by blockchain.info.
  2. Bitcoin Core version 30.2 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-26514] [Modified: 23-09-2025] [Analyzed] [V3.1 S6.4:MEDIUM] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Reflected Cross-Site Scripting vulnerability. Successful exploit could allow an attacker to view or modify configuration settings or add or modify user accounts but requires the attacker to know specific information about the target instance and then trick a privileged user into clicking a specially crafted link.

[CVE-2025-26515] [Modified: 23-09-2025] [Analyzed] [V3.1 S7.5:HIGH] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 without Single Sign-on enabled are susceptible to a Server-Side Request Forgery (SSRF) vulnerability. Successful exploit could allow an unauthenticated attacker to change the password of any Grid Manager or Tenant Manager non-federated user.

[CVE-2025-26516] [Modified: 23-09-2025] [Analyzed] [V3.1 S5.3:MEDIUM] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a Denial of Service vulnerability. Successful exploit could allow an unauthenticated attacker to cause a Denial of Service on the Admin node.

[CVE-2025-26517] [Modified: 23-09-2025] [Analyzed] [V3.1 S5.4:MEDIUM] StorageGRID (formerly StorageGRID Webscale) versions prior to 11.8.0.15 and 11.9.0.8 are susceptible to a privilege escalation vulnerability. Successful exploit could allow an unauthorized authenticated attacker to discover Grid node names and IP addresses or modify Storage Grades.

[CVE-2025-34200] [Modified: 24-09-2025] [Analyzed] [V3.1 S7.8:HIGH] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) provision the appliance with the network account credentials in clear-text inside /etc/issue, and the file is world-readable by default. An attacker with local shell access can read /etc/issue to obtain the network account username and password. Using the network account an attacker can change network parameters via the appliance interface, enabling local misconfiguration, network disruption or further escalation depending on deployment.

[CVE-2025-34201] [Modified: 24-09-2025] [Analyzed] [V3.1 S7.8:HIGH] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) run many Docker containers on shared internal networks without firewalling or segmentation between instances. A compromise of any single container allows direct access to internal services (HTTP, Redis, MySQL, etc.) on the overlay network. From a compromised container, an attacker can reach and exploit other services, enabling lateral movement, data theft, and system-wide compromise.

[CVE-2025-34204] [Modified: 24-09-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) contains multiple Docker containers that run primary application processes (for example PHP workers, Node.js servers and custom binaries) as the root user. This increases the blast radius of a container compromise and enables lateral movement and host compromise when a container is breached.

[CVE-2025-34206] [Modified: 24-09-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA and SaaS deployments) mount host configuration and secret material under /var/www/efs_storage into many Docker containers with overly-permissive filesystem permissions. Files such as secrets.env, GPG-encrypted blobs in .secrets, MySQL client keys, and application session files are accessible from multiple containers. An attacker who controls or reaches any container can read or modify these artifacts, leading to credential theft, RCE via Laravel APP_KEY, Portainer takeover, and full compromise.

[CVE-2025-43803] [Modified: 16-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Insecure direct object reference (IDOR) vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to view contact information, including the contact’s name and email address, via the _com_liferay_contacts_web_portlet_ContactsCenterPortlet_entryId parameter.

[CVE-2025-10568] [Modified: 16-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] HyperX NGENUITY software is potentially vulnerable to arbitrary code execution. HP is releasing updated software to address the potential vulnerability.

[CVE-2025-43809] [Modified: 16-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter.

[CVE-2025-52159] [Modified: 25-09-2025] [Analyzed] [V3.1 S8.8:HIGH] Hardcoded credentials in default configuration of PPress 0.0.9.

[CVE-2025-54761] [Modified: 25-09-2025] [Analyzed] [V3.1 S8.0:HIGH] An issue was discovered in PPress 0.0.9 allowing attackers to gain escilated privlidges via crafted session cookie.

[CVE-2025-54815] [Modified: 25-09-2025] [Analyzed] [V3.1 S8.8:HIGH] Server-side template injection (SSTI) vulnerability in PPress 0.0.9 allows attackers to execute arbitrary code via crafted themes.

[CVE-2025-56762] [Modified: 03-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Paracrawl KeOPs v2 is vulnerable to Cross Site Scripting (XSS) in error.php.

[CVE-2025-57396] [Modified: 03-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Tandoor Recipes 2.0.0-alpha-1, fixed in 2.0.0-alpha-2, is vulnerable to privilege escalation. This is due to the rework of the API, which resulted in the User Profile API Endpoint containing two boolean values indicating whether a user is staff or administrative. Consequently, any user can escalate their privileges to the highest level.

[CVE-2025-59431] [Modified: 08-10-2025] [Analyzed] [V3.1 S9.8:CRITICAL] MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.

[CVE-2025-59689] [Modified: 05-11-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Libraesva ESG 4.5 through 5.5.x before 5.5.7 allows command injection via a compressed e-mail attachment. For ESG 5.0 a fix has been released in 5.0.31. For ESG 5.1 a fix has been released in 5.1.20. For ESG 5.2 a fix has been released in 5.2.31. For ESG 5.4 a fix has been released in 5.4.8. For ESG 5.5. a fix has been released in 5.5.7.

[CVE-2025-9079] [Modified: 25-09-2025] [Analyzed] [V3.1 S8.0:HIGH] Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory

[CVE-2025-9081] [Modified: 25-09-2025] [Analyzed] [V3.1 S3.1:LOW] Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration