Current Conditions
São Paulo
céu limpo

21 ℃
89%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 04:00:02
  1. [USD] USD 70,080.09
  1. [BRL] BRL 366,436.45 [USD] USD 70,080.09 [GBP] GBP 52,439.53 [EUR] EUR 60,608.55
    Price index provided by blockchain.info.
  2. Bitcoin Core version 28.4 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-59390] [Modified: 04-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Apache Druid’s Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generator. This may allow an attacker to predict or brute force the secret used to sign authentication cookies, potentially enabling token forgery or authentication bypass. Additionally, each process generates its own fallback secret, resulting in inconsistent secrets across nodes. This causes authentication failures in distributed or multi-broker deployments, effectively leading to a incorrectly configured clusters. Users are advised to configure a strong `druid.auth.authenticator.kerberos.cookieSignatureSecret` This issue affects Apache Druid: through 34.0.0. Users are recommended to upgrade to version 35.0.0, which fixes the issue making it mandatory to set `druid.auth.authenticator.kerberos.cookieSignatureSecret` when using the Kerberos authenticator. Services will fail to come up if the secret is not set.

[CVE-2025-62728] [Modified: 04-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is accessible to only a handful of applications (e.g., Hiveserver2) thus the vulnerability is not exploitable. Moreover, the vulnerable code cannot be reached when metastore.try.direct.sql property is set to false. This issue affects Apache Hive: from 4.1.0 before 4.2.0. Users are recommended to upgrade to version 4.2.0, which fixes the issue. Users who cannot upgrade directly are encouraged to set metastore.try.direct.sql property to false if the HMS Thrift APIs are exposed to general public.

[CVE-2025-13674] [Modified: 03-12-2025] [Analyzed] [V3.1 S5.5:MEDIUM] BPv7 dissector crash in Wireshark 4.6.0 allows denial of service

[CVE-2025-50399] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter password.

[CVE-2025-50402] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] FAST FAC1200R F400_FAC1200R_Q is vulnerable to Buffer Overflow in the function sub_80435780 via the parameter string fac_password.

[CVE-2025-63938] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

[CVE-2025-65235] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.

[CVE-2025-65236] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.

[CVE-2025-65237] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.

[CVE-2025-65238] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.

[CVE-2025-65239] [Modified: 30-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.

[CVE-2025-11461] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.

[CVE-2025-2486] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

[CVE-2025-55469] [Modified: 05-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.

[CVE-2025-55471] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.

[CVE-2025-26155] [Modified: 30-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.

[CVE-2025-65669] [Modified: 03-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.

[CVE-2025-65672] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.

[CVE-2025-65675] [Modified: 05-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.

[CVE-2025-65676] [Modified: 03-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.