fkie_cve-2025-40915
Vulnerability from fkie_nvd
Published
2025-06-11 17:15
Modified
2025-06-12 16:06
Severity ?
7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.
References
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function."
    },
    {
      "lang": "es",
      "value": "Mojolicious::Plugin::CSRF 1.03 para Perl utiliza una fuente de n\u00fameros aleatorios d\u00e9bil para generar tokens CSRF. Esta versi\u00f3n del m\u00f3dulo genera tokens como un MD5 del ID del proceso, la hora actual y una \u00fanica llamada a la funci\u00f3n integrada rand()."
    }
  ],
  "id": "CVE-2025-40915",
  "lastModified": "2025-06-12T16:06:20.180",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 4.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-11T17:15:42.793",
  "references": [
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"
    }
  ],
  "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.