Current Conditions
São Paulo
chuva fraca

27 ℃
67%
Temperatura
Umidade
Fonte: OpenWeatherMap. - 18:00:02
  1. [USD] USD 67,701.25
  1. [BRL] BRL 350,205.01 [USD] USD 67,701.25 [GBP] GBP 50,192.69 [EUR] EUR 57,443.36
    Price index provided by blockchain.info.
  2. Bitcoin Core version 29.3 is now available for download. See the release notes for more information about the bug fixes in this release.
    If you have any questions, please stop by the #bitcoin IRC chatroom (IRC, web) and we’ll do our best to help you.

[CVE-2025-61413] [Modified: 31-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.0 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.

[CVE-2025-61464] [Modified: 30-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php.

[CVE-2025-11621] [Modified: 29-12-2025] [Analyzed] [V3.1 S8.1:HIGH] Vault and Vault Enterprise’s (“Vault”) AWS Auth method may be susceptible to authentication bypass if the role of the configured bound_principal_iam is the same across AWS accounts, or uses a wildcard. This vulnerability, CVE-2025-11621, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.21.0, 1.20.5, 1.19.11, and 1.16.27

[CVE-2025-60837] [Modified: 27-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload.

[CVE-2025-60859] [Modified: 28-10-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Cross Site Scripting (XSS) vulnerability in Gnuboard 5.6.15 allows authenticated attackers to execute arbitrary code via crafted c_id parameter in bbs/view_comment.php.

[CVE-2025-62255] [Modified: 12-12-2025] [Analyzed] [V3.1 S6.1:MEDIUM] Self Cross-site scripting (XSS) vulnerability on the edit Knowledge Base article page in Liferay Portal 7.4.0 through 7.4.3.101, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an attachment's filename.

[CVE-2025-12044] [Modified: 23-12-2025] [Analyzed] [V3.1 S7.5:HIGH] Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for [+HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393]  which allowed for processing JSON payloads before applying rate limits. This vulnerability, CVE-2025-12044, is fixed in Vault Community Edition 1.21.0 and Vault Enterprise 1.16.27, 1.19.11, 1.20.5, and 1.21.0.

[CVE-2025-54963] [Modified: 28-10-2025] [Analyzed] [V3.1 S6.5:MEDIUM] An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker with the ability to interact with the GXP Job Service may submit a crafted job request that grants read access to files on the filesystem with the permissions of the GXP Job Service process. The path to a file is not sanitized for directory traversal, potentially allowing an attacker to read sensitive files in some configurations.

[CVE-2025-54964] [Modified: 28-10-2025] [Analyzed] [V3.1 S8.4:HIGH] An issue was discovered in BAE SOCET GXP before 4.6.0.2. An attacker with the ability to interact with the GXP Job Service may inject arbitrary executables. If the Job Service is configured for local-only access, this may allow for privilege escalation in certain situations. If the Job Service is network accessible, this may allow remote command execution.

[CVE-2025-54966] [Modified: 28-10-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An issue was discovered in BAE SOCET GXP before 4.6.0.2. Some endpoints on the SOCET GXP Job Status Service may return sensitive information in certain situations, including local file paths and SOCET GXP version information.

[CVE-2025-62236] [Modified: 31-12-2025] [Analyzed] [V3.1 S5.3:MEDIUM] The Frontier Airlines website has a publicly available endpoint that validates if an email addresses is associated with an account. An unauthenticated, remote attacker could determine valid email addresses, possibly aiding in further attacks.

[CVE-2025-59273] [Modified: 28-10-2025] [Analyzed] [V3.1 S7.3:HIGH] Improper access control in Azure Event Grid allows an unauthorized attacker to elevate privileges over a network.

[CVE-2025-59500] [Modified: 31-12-2025] [Analyzed] [V3.1 S7.7:HIGH] Improper access control in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

[CVE-2025-59503] [Modified: 31-12-2025] [Analyzed] [V3.1 S10.0:CRITICAL] Server-side request forgery (ssrf) in Azure Compute Gallery allows an unauthorized attacker to elevate privileges over a network.

[CVE-2025-62254] [Modified: 10-11-2025] [Analyzed] [V3.1 S7.5:HIGH] The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

[CVE-2025-36361] [Modified: 28-10-2025] [Analyzed] [V3.1 S6.3:MEDIUM] IBM App Connect Enterprise 13.0.1.0 through 13.0.4.2, and 12.0.1.0 through 12.0.12.17 could allow an authenticated user to perform unauthorized actions on customer defined resources due to missing authorization.

[CVE-2025-5350] [Modified: 21-11-2025] [Analyzed] [V3.1 S5.9:MEDIUM] SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context. By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk. Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.

[CVE-2025-5605] [Modified: 21-11-2025] [Analyzed] [V3.1 S4.3:MEDIUM] An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

[CVE-2025-46425] [Modified: 04-11-2025] [Analyzed] [V3.1 S6.5:MEDIUM] Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

[CVE-2025-43994] [Modified: 04-11-2025] [Analyzed] [V3.1 S8.6:HIGH] Dell Storage Center - Dell Storage Manager, version(s) DSM 20.1.21, contain(s) a Missing Authentication for Critical Function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.