Current Conditions
São Paulo
céu limpo

20 ℃
93%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 05:30:01
  1. [USD] USD 67,063.88
  1. [BRL] BRL 345,868.57 [USD] USD 67,063.88 [GBP] GBP 50,674.48 [EUR] EUR 58,100.93
    Price index provided by blockchain.info.
  2. Bitcoin Core version 28.4 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-12782] [Modified: 11-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.

[CVE-2025-14010] [Modified: 02-01-2026] [Analyzed] [V3.1 S5.5:MEDIUM] A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access.

[CVE-2025-41079] [Modified: 05-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with PUT parámetro 'name' in '/api/v2.1/user/'.

[CVE-2025-41080] [Modified: 05-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored Cross-Site Scripting (XSS) vulnerability has been found in Seafile v12.0.10. This vulnerability allows an attacker to execute arbitrary code in the victim's browser by storing malicious payloads with POST parámetro 'p' in '/api/v2.1/repos/{repo_id}/file/'.

[CVE-2025-11222] [Modified: 19-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Central Dogma versions before 0.78.0 contain an Open Redirect vulnerability that allows attackers to redirect users to untrusted sites via specially crafted URLs, potentially facilitating phishing attacks and credential theft.

[CVE-2024-45538] [Modified: 05-12-2025] [Analyzed] [V3.1 S9.6:CRITICAL] Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

[CVE-2024-45539] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

[CVE-2024-5401] [Modified: 05-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

[CVE-2025-14006] [Modified: 05-12-2025] [Analyzed] [V3.1 S3.5:LOW] A security vulnerability has been detected in dayrui XunRuiCMS up to 4.7.1. Affected by this issue is some unknown functionality of the file /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1 of the component Add Data Validation Page. The manipulation of the argument data[name] leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-14007] [Modified: 05-12-2025] [Analyzed] [V3.1 S2.0:LOW] A vulnerability was detected in dayrui XunRuiCMS up to 4.7.1. This affects an unknown part of the file /admin79f2ec220c7e.php?c=api&m=demo&name=mobile of the component Domain Name Binding Page. The manipulation results in cross site scripting. The attack may be performed from remote. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-14008] [Modified: 05-12-2025] [Analyzed] [V3.1 S4.7:MEDIUM] A flaw has been found in dayrui XunRuiCMS up to 4.7.1. This vulnerability affects unknown code of the file admin79f2ec220c7e.php?c=api&m=test_site_domain of the component Project Domain Change Test. This manipulation of the argument v causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2025-29843] [Modified: 05-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files.

[CVE-2025-29844] [Modified: 05-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.

[CVE-2025-29845] [Modified: 05-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.

[CVE-2025-29846] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.2:HIGH] A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.

[CVE-2025-2848] [Modified: 09-02-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions.

[CVE-2025-53963] [Modified: 16-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. They run an SSH server accessible over the default port 22. The root account has a weak default password of ionadmin, and a password change policy for the root account is not enforced. Thus, an attacker with network connectivity can achieve root code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

[CVE-2025-54303] [Modified: 16-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The Thermo Fisher Torrent Suite Django application 5.18.1 has weak default credentials, which are stored as fixtures for the Django ORM API. The ionadmin user account can be used to authenticate to default deployments with the password ionadmin. The user guide recommends changing default credentials; however, a password change policy for default administrative accounts is not enforced. Many deployments may retain default credentials, in which case an attacker is likely to be able to successfully authenticate with administrative privileges.

[CVE-2025-54304] [Modified: 16-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered on Thermo Fisher Ion Torrent OneTouch 2 INS1005527 devices. When they are powered on, an X11 display server is started. The display server listens on all network interfaces and is accessible over port 6000. The X11 access control list, by default, allows connections from 127.0.0.1 and 192.168.2.15. If a device is powered on and later connected to a network with DHCP, the device may not be assigned the 192.168.2.15 IP address, leaving the display server accessible by other devices on the network. The exposed X11 display server can then be used to gain root privileges and the ability to execute code remotely by interacting with matchbox-desktop and spawning a terminal. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

[CVE-2025-54305] [Modified: 16-12-2025] [Analyzed] [V3.1 S7.8:HIGH] An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. One of the middlewares included in this application, LocalhostAuthMiddleware, authenticates users as ionadmin if the REMOTE_ADDR property in request.META is set to 127.0.0.1, to 127.0.1.1, or to ::1. Any user with local access to the server may bypass authentication.