Filtered by vendor Hayajo
Subscriptions
Total
2 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9733 | 1 Hayajo | 1 Mojolicious::plugin::web::auth::oauth2 | 2026-06-23 | 9.1 Critical |
| Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF). | ||||
| CVE-2026-9692 | 1 Hayajo | 1 Mojolicious::sessions::storable | 2026-06-20 | 5.3 Medium |
| Mojolicious::Sessions::Storable versions through 0.05 for Perl generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, the heap address of an anonymous hash, and the PID. These are predictable or low-entropy sources that are unsuitable for security purposes. | ||||
Page 1 of 1.