FKIE_CVE-2025-40915

Vulnerability from fkie_nvd - Published: 2025-06-11 17:15 - Updated: 2025-06-12 16:06
Severity ?
7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
Summary
Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens. That version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function.
References
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mojolicious::Plugin::CSRF 1.03 for Perl uses a weak random number source for generating CSRF tokens.\n\nThat version of the module generates tokens as an MD5 of the process id, the current time, and a single call to the built-in rand() function."
    },
    {
      "lang": "es",
      "value": "Mojolicious::Plugin::CSRF 1.03 para Perl utiliza una fuente de n\u00fameros aleatorios d\u00e9bil para generar tokens CSRF. Esta versi\u00f3n del m\u00f3dulo genera tokens como un MD5 del ID del proceso, la hora actual y una \u00fanica llamada a la funci\u00f3n integrada rand()."
    }
  ],
  "id": "CVE-2025-40915",
  "lastModified": "2025-06-12T16:06:20.180",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.0,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 4.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-11T17:15:42.793",
  "references": [
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/changes"
    },
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "url": "https://metacpan.org/release/GRYPHON/Mojolicious-Plugin-CSRF-1.04/diff/GRYPHON/Mojolicious-Plugin-CSRF-1.03"
    }
  ],
  "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.