Syrtain

**Name of the Vulnerable Software and Affected Versions** Sistemas Pleno Gestão de Locação versions up to 2025.7.x **Description** A flaw exists that allows for authorization bypass through manipulation of the `pes cpf` argument. This issue impacts an unknown function within the file '/api/areacliente/pessoa/validarCpf' of the CPF Handler component. The attack can be executed remotely. An exploit for this issue has been published. **Recommendations** Upgrade to version 2025.8.0 to resolve this issue.

Name of the Vulnerable Software and Affected Versions: Display Painéis TGA versions through 7.1.41 Description: A security flaw exists in Display Painéis TGA up to version 7.1.41. The issue is related to path traversal within the `/gallery/rename` file of the Galeria Page component, resulting from manipulation of the `current folder` argument. The exploit for this issue has been publicly released. The vendor was notified but did not respond. Recommendations: Versions prior to 7.1.41 should be updated. As a temporary workaround, restrict access to the `/gallery/rename` file. Avoid using the `current folder` argument in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SoluçõesCoop iSoluçõesWEB versions prior to 20250519 **Description** A problem was found in some unknown functionality of the file /fluxos-dashboard of the component Flow Handler. The manipulation of the `Descrição da solicitação` argument leads to cross site scripting attacks. These attacks can be executed remotely. The exploit has been publicly disclosed and could be used. **Recommendations** For versions prior to 20250519, update the affected component to resolve the issue. As a temporary workaround, consider restricting access to the /fluxos-dashboard file of the Flow Handler component to minimize the risk of exploitation. Avoid using the `Descrição da solicitação` argument in the affected functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SoluçõesCoop iSoluçõesWEB up to 20250516 **Description** A problematic issue has been identified, affecting the Profile Information Update component, specifically the file /sys/up.upload.php. The manipulation of the `nomeArquivo` argument leads to path traversal. This issue can be exploited remotely. **Recommendations** Upgrade the affected component to a version later than 20250516. As a temporary workaround, consider restricting access to the /sys/up.upload.php file to minimize the risk of exploitation. Avoid using the `nomeArquivo` argument in the affected component until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Vivotek NVR ND8422P, NVR ND9525P and NVR ND9541P versions 2.4.0.204/3.3.0.104/4.2.0.101 Description: A vulnerability was found in the HTML Form Handler component of Vivotek NVR devices. The manipulation leads to the inclusion of sensitive information in the source code. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.