Current Conditions
São Paulo
céu limpo

21 ℃
83%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 19:30:01
  1. [USD] USD 70,695.26
  1. [BRL] BRL 375,632.17 [USD] USD 70,695.26 [GBP] GBP 52,998.89 [EUR] EUR 61,094.84
    Price index provided by blockchain.info.
  2. Bitcoin Core version 29.3 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-36161] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.9:MEDIUM] IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.

[CVE-2025-60737] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross Site Scripting vulnerability in Ilevia EVE X1 Server Firmware Version<= 4.7.18.0.eden:Logic Version<=6.00 - 2025_07_21 allows a remote attacker to execute arbitrary code via the /index.php component

[CVE-2025-60738] [Modified: 15-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters

[CVE-2025-62293] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Broken Access Control in /status endpoint. Due to lack of permission checks in Project Status functionality an authenticated attacker is able to add, edit and delete any status. This issue was fixed in version 1.55.

[CVE-2025-62294] [Modified: 24-11-2025] [Analyzed] [V3.1 S7.5:HIGH] SOPlanning is vulnerable to Predictable Generation of Password Recovery Token. Due to weak mechanism of generating recovery tokens, a malicious attacker is able to brute-force all possible values and takeover any account in reasonable amount of time. This issue was fixed in version 1.55.

[CVE-2025-62295] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /groupe_form endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55.

[CVE-2025-62296] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /taches endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening editor. This issue was fixed in version 1.55.

[CVE-2025-62297] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /projets endpoint. Malicious attacker with medium privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when opening edited page. This issue was fixed in version 1.55.

[CVE-2025-62729] [Modified: 24-11-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SOPlanning is vulnerable to Stored XSS in /status endpoint. Malicious attacker with an account can inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. This issue was fixed in version 1.55.

[CVE-2025-62730] [Modified: 24-11-2025] [Analyzed] [V3.1 S8.8:HIGH] SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative permissions to any user including themselves. This allow a malicious authenticated attacker with this role to escalate to admin privileges. This issue affects both Bulk Update functionality and regular edition of user's right and privileges. This issue was fixed in version 1.55.

[CVE-2025-62731] [Modified: 24-11-2025] [Analyzed] [V3.1 S4.8:MEDIUM] SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only administrators and users with special privileges are able to access this endpoint. This issue was fixed in version 1.55.

[CVE-2025-62875] [Modified: 15-01-2026] [Analyzed] [V3.1 S5.5:MEDIUM] An Improper Check for Unusual or Exceptional Conditions vulnerability in OpenSMTPD allows local users to crash OpenSMTPD. This issue affects openSUSE Tumbleweed: from ? before 7.8.0p0-1.1.

[CVE-2025-12120] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.3:HIGH] Lite XL versions 2.1.8 and prior automatically execute the .lite_project.lua file when opening a project directory, without prompting the user for confirmation. The .lite_project.lua file is intended for project-specific configuration but can contain executable Lua logic. This behavior could allow execution of untrusted Lua code if a user opens a malicious project, potentially leading to arbitrary code execution with the privileges of the Lite XL process.

[CVE-2025-12121] [Modified: 10-12-2025] [Analyzed] [V3.1 S7.3:HIGH] Lite XL versions 2.1.8 and prior contain a vulnerability in the system.exec function, which allowed arbitrary command execution through unsanitized shell command construction. This function was used in project directory launching (core.lua), drag-and-drop file handling (rootview.lua), and the “open in system” command in the treeview plugin (treeview.lua). If an attacker could influence input to system.exec, they might execute arbitrary commands with the privileges of the Lite XL process.

[CVE-2025-52410] [Modified: 12-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Institute-of-Current-Students v1.0 contains a time-based blind SQL injection vulnerability in the mydetailsstudent.php endpoint. The `myds` GET parameter is not adequately sanitized before being used in SQL queries.

[CVE-2025-62709] [Modified: 25-11-2025] [Analyzed] [V3.1 S6.8:MEDIUM] ClipBucket v5 is an open source video sharing platform. In ClipBucket version 5.5.2, a change to network.class.php causes the application to dynamically build the server URL from the incoming HTTP Host header when the configuration base_url is not set. Because Host is a client-controlled header, an attacker can supply an arbitrary Host value. This allows an attacker to cause password-reset links (sent by forget.php) to be generated with the attacker’s domain. If a victim follows that link and enters their activation code on the attacker-controlled domain, the attacker can capture the code and use it to reset the victim’s password and take over the account. This issue has been patched in version 5.5.2#162.

[CVE-2025-63848] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Stored cross site scripting (xss) vulnerability in SWISH prolog thru 2.2.0 allowing attackers to execute arbitrary code via crafted web IDE notebook.

[CVE-2025-64428] [Modified: 24-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17.

[CVE-2025-63888] [Modified: 25-11-2025] [Analyzed] [V3.1 S9.8:CRITICAL] The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.

[CVE-2025-63889] [Modified: 25-11-2025] [Analyzed] [V3.1 S7.5:HIGH] The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.