fweno.onefour.com.br

Current Conditions
São Paulo
céu limpo

22 ℃
83%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 10:00:02
  1. [USD] USD 81,282.27
  1. [BRL] BRL 402,964.97 [USD] USD 81,282.27 [GBP] GBP 60,024.19 [EUR] EUR 69,520.56
    Price index provided by blockchain.info.
  2. After Bitcoin Core 0.14.0 and before Bitcoin Core 29.0, validating a specially-crafted block may cause the node to access previously freed memory.
    During validation, necessary data required for checking inputs for each transaction is pre-calculated and cached. For specially crafted invalid blocks, it was possible for this data to be destroyed while it was still being accessed by a background validation thread. An attacker capable of mining a block with sufficient proof-of-work could have exploited this to crash victim nodes. Because of the nature of use-after-free bugs, it is possible that the crash could have been used for remote code execution, though constraints on the input (block) data make this unlikely.
    This issue is considered High severity.

    Details

    By default, script validation for new blocks is dispatched to background threads via a vector of CScriptCheck functors. Each CScriptCheck holds a pointer to a PrecomputedTransactionData object which stores some data needed by each input in the transaction. Because it stores a pointer and not the data itself, care must be taken to ensure that the PrecomputedTransactionData outlives the CScriptCheck.
    The script checks lifetime is enforced by an RAII class, CCheckQueueControl. However, the control is intantiated before the precomputed transaction data. Because local objects in C++ are destructed in reverse order of construction, this means the vector of PrecomputedTransactionData is destroyed before the CCheckQueueControl.
    This is not an issue when the block is valid, as CCheckQueueControl::Wait() will be called before the function returns and the PrecomputedTransactionData gets destroyed. However, in case of an early return (when a separate check fails) a background script thread may read the precomputed transaction data after it was destroyed. An attacker could exploit this to crash victim nodes at the expense of a valid PoW at tip.

    Attribution

    Cory Fields (MIT DCI) discovered this vulnerability and responsibly disclosed it in a detailed report containing a proof of concept for reproduction and a proposed mitigation.

    Timeline

    • 2024-11-02 Cory Fields privately reports the bug
    • 2024-11-06 Pieter Wuille pushes a covert fix to already open PR #31112 which works around the issue by removing the early returns
    • 2024-12-03 PR #31112 is merged
    • 2025-04-12 Bitcoin Core version 29.0 is released with a fix
    • 2026-04-19 The last vulnerable Bitcoin Core version (28.x) goes end of life
    • 2026-05-05 Public disclosure.

dog - 10:13:04 up 227 days, 18:44, 4 users, load average: 0.00, 0.00, 0.00

Google News

[05/05/2026 07:25] Deputado estadual Thiago Rangel é preso pela PF na 4ª fase da Operação Unha e Carne - G1

[05/05/2026 07:01] A disputa pela Presidência no 1º turno, segundo nova pesquisa Real Time Big Data - CartaCapital

[05/05/2026 06:02] Supremo vê erro do Executivo na derrota de Messias - Poder360

[05/05/2026 05:36] Avião cai em Belo Horizonte e colide contra prédio; três pessoas morreram - BBC

[05/05/2026 06:58] OMS diz suspeitar que passageiros embarcaram em navio já infectados com hantavírus e doença se espalhou a bordo - G1

[04/05/2026 15:54] 8 de janeiro: Moraes nega liberdade a mãe condenada que pediu aplicação do PL da Dosimetria - Revista Oeste

[05/05/2026 02:00] Fim da jornada 6x1: comissão define rota de trabalho e vai ouvir ministros de Lula - R7

[05/05/2026 03:28] Filho da deputada Heloísa Helena morre aos 42 anos - Poder360

[05/05/2026 05:58] Membro do Comando Vermelho que serrou cela para fugir é recapturado em MG - Estado de Minas

[05/05/2026 04:01] Congresso cria precedentes ao rejeitar indicação ao STF e manobrar regimento para não abrir CPI, avaliam técnicos - G1

NVD Feed

[CVE-2025-5965] [Modified: 26-01-2026] [Analyzed] [V3.1 S7.2:HIGH] In the backup parameters, a user with high privilege is able to concatenate custom instructions to the backup setup. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Centreon Infra Monitoring (Backup configuration in the administration setup modules) allows OS Command Injection.This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19.

[CVE-2026-0583] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This vulnerability affects unknown code of the file app/user/login.php of the component User Login. The manipulation of the argument emailadd results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

[CVE-2026-0584] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A weakness has been identified in code-projects Online Product Reservation System 1.0. This issue affects some unknown processing of the file app/products/left_cart.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.

[CVE-2026-0585] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A security vulnerability has been detected in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the file /order_view.php of the component GET Parameter Handler. Such manipulation of the argument transaction_id leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

[CVE-2025-12519] [Modified: 26-01-2026] [Analyzed] [V3.1 S5.3:MEDIUM] Missing Authorization vulnerability in Centreon Infra Monitoring (Administration parameters API endpoint modules) allows Accessing Functionality Not Properly Constrained by ACLs, resulting in Information Disclosure like downtime or acknowledgement configurations. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19.

[CVE-2025-13056] [Modified: 26-01-2026] [Analyzed] [V3.1 S6.8:MEDIUM] Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Administration ACL menu configuration modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19.

[CVE-2026-0586] [Modified: 29-04-2026] [Analyzed] [V3.1 S4.3:MEDIUM] A vulnerability was detected in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file handgunner-administrator/prod.php. Performing a manipulation of the argument cat results in cross site scripting. The attack is possible to be carried out remotely. The exploit is now public and may be used.

[CVE-2026-0587] [Modified: 29-04-2026] [Analyzed] [V3.1 S3.5:LOW] A security flaw has been discovered in Xinhu Rainrock RockOA up to 2.7.1. Affected is an unknown function of the file rock_page_gong.php of the component Cover Image Handler. The manipulation of the argument fengmian results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2026-0588] [Modified: 29-04-2026] [Analyzed] [V3.1 S3.5:LOW] A weakness has been identified in Xinhu Rainrock RockOA up to 2.7.1. Affected by this vulnerability is an unknown functionality of the file rockfun.php of the component API. This manipulation of the argument callback causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

[CVE-2026-0589] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A vulnerability was found in code-projects Online Product Reservation System 1.0. Impacted is an unknown function of the component Administration Backend. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used.

[CVE-2026-0590] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was determined in code-projects Online Product Reservation System 1.0. The affected element is an unknown function of the file /app/checkout/delete.php of the component POST Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

[CVE-2025-12511] [Modified: 26-01-2026] [Analyzed] [V3.1 S6.8:MEDIUM] Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (DSM extenstio configuration modules) allows Stored XSS to user with elevated privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.1, from 24.10.0 before 24.10.4, from 24.04.0 before 24.04.8.

[CVE-2025-12513] [Modified: 26-01-2026] [Analyzed] [V3.1 S6.8:MEDIUM] Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Centreon Infra Monitoring (Hosts configuration form modules) allows Stored XSS to users with high privileges. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.15, from 24.04.0 before 24.04.19.

[CVE-2025-68280] [Modified: 26-01-2026] [Analyzed] [V3.1 S6.5:MEDIUM] Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ...

[CVE-2026-0591] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A vulnerability was identified in code-projects Online Product Reservation System 1.0. The impacted element is an unknown function of the file /app/checkout/update.php of the component Cart Update Handler. Such manipulation of the argument id/qty leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

[CVE-2026-0592] [Modified: 29-04-2026] [Analyzed] [V3.1 S7.3:HIGH] A security flaw has been discovered in code-projects Online Product Reservation System 1.0. This affects an unknown function of the file /handgunner-administrator/register_code.php of the component User Registration Handler. Performing a manipulation of the argument fname/lname/address/city/province/country/zip/tel_no/email/username results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

[CVE-2025-15026] [Modified: 26-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Missing Authentication for Critical Function vulnerability in Centreon Infra Monitoring centreon-awie (Awie import module) allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.

[CVE-2025-15029] [Modified: 26-01-2026] [Analyzed] [V3.1 S9.8:CRITICAL] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon Infra Monitoring (Awie export modules) allows SQL Injection to unauthenticated user. This issue affects Infra Monitoring: from 25.10.0 before 25.10.2, from 24.10.0 before 24.10.3, from 24.04.0 before 24.04.3.

[CVE-2025-66376] [Modified: 18-03-2026] [Analyzed] [V3.1 S7.2:HIGH] Zimbra Collaboration (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13 allows Classic UI stored XSS via Cascading Style Sheets (CSS) @import directives in an HTML e-mail message.

[CVE-2026-0597] [Modified: 29-04-2026] [Analyzed] [V3.1 S6.3:MEDIUM] A flaw has been found in Campcodes Supplier Management System 1.0. Affected by this issue is some unknown functionality of the file /retailer/edit_profile.php. This manipulation of the argument txtRetailerAddress causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

 
Amazon AWS httpd php.net Lets Encrypt Bootstrap