Current Conditions
São Paulo
chuva fraca

23 ℃
84%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 17:30:02
  1. [USD] USD 69,080.97
  1. [BRL] BRL 362,219.18 [USD] USD 69,080.97 [GBP] GBP 51,808.80 [EUR] EUR 59,887.40
    Price index provided by blockchain.info.
  2. Bitcoin Core version 28.4 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-63938] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

[CVE-2025-65235] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 was discovered to contain a SQL injection vulnerability via the ID parameter in the getSubUsersByProvider function.

[CVE-2025-65236] [Modified: 02-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] OpenCode Systems USSD Gateway OC Release: 5 was discovered to contain a SQL injection vulnerability via the Session ID parameter in the /occontrolpanel/index.php endpoint.

[CVE-2025-65237] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a crafted payload.

[CVE-2025-65238] [Modified: 02-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information.

[CVE-2025-65239] [Modified: 30-12-2025] [Analyzed] [V3.1 S4.3:MEDIUM] Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs.

[CVE-2025-11461] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] Multiple SQL Injections in Frappe CRM Dashboard Controller due to unsafe concatenation of user-controlled parameters into dynamic SQL statements. This issue affects Frappe CRM: 1.53.1.

[CVE-2025-2486] [Modified: 19-12-2025] [Analyzed] [V3.1 S8.8:HIGH] The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

[CVE-2025-55469] [Modified: 05-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] Incorrect access control in youlai-boot v2.21.1 allows attackers to escalate privileges and access the Administrator backend.

[CVE-2025-55471] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Incorrect access control in the getUserFormData function of youlai-boot v2.21.1 allows attackers to access sensitive information for other users.

[CVE-2025-26155] [Modified: 30-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] NCP Secure Enterprise Client 13.18 and NCP Secure Entry Windows Client 13.19 have an Untrusted Search Path vulnerability.

[CVE-2025-65669] [Modified: 03-12-2025] [Analyzed] [V3.1 S9.1:CRITICAL] An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.

[CVE-2025-65672] [Modified: 05-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.

[CVE-2025-65675] [Modified: 05-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.

[CVE-2025-65676] [Modified: 03-12-2025] [Analyzed] [V3.1 S5.4:MEDIUM] Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.

[CVE-2025-65681] [Modified: 30-12-2025] [Analyzed] [V3.1 S3.3:LOW] An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.

[CVE-2025-65966] [Modified: 05-12-2025] [Analyzed] [V3.1 S8.1:HIGH] OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0.

[CVE-2025-66028] [Modified: 05-12-2025] [Analyzed] [V3.1 S8.2:HIGH] OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, it is possible to gain access to the admin dashboard interface. However, an attacker may be unable to view or interact with the data if they still do not have sufficient permissions. This issue has been patched in version 8.0.5567.

[CVE-2025-50433] [Modified: 29-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An issue was discovered in imonnit.com (2025-04-24) allowing malicious actors to gain escalated privileges via crafted password reset to take over arbitrary user accounts.

[CVE-2025-65276] [Modified: 30-12-2025] [Analyzed] [V3.1 S9.8:CRITICAL] An unauthenticated administrative access vulnerability exists in the open-source HashTech project (https://github.com/henzljw/hashtech) 1.0 thru commit 5919decaff2681dc250e934814fc3a35f6093ee5 (2021-07-02). Due to missing authentication checks on /admin_index.php, an attacker can directly access the admin dashboard without valid credentials. This allows full administrative control including viewing/modifying user accounts, managing orders, changing payments, and editing product listings. Successful exploitation can lead to information disclosure, data manipulation, and privilege escalation.