Dancer
Monthly
Dancer::Session::Abstract through version 1.3522 generates cryptographically weak session identifiers by combining predictable inputs (file path, process ID, epoch time) with an insufficiently-seeded Perl rand() function, allowing remote attackers to predict valid session IDs and hijack user sessions without authentication. The vulnerability affects Perl-based web applications using Dancer framework's default session handling; active exploitation is not confirmed but the attack requires only guessing a session ID, making it practically exploitable.
CRLF injection vulnerability in the cookie method (lib/Dancer/Cookie.pm) in Dancer before 1.3114 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dancer::Session::Abstract through version 1.3522 generates cryptographically weak session identifiers by combining predictable inputs (file path, process ID, epoch time) with an insufficiently-seeded Perl rand() function, allowing remote attackers to predict valid session IDs and hijack user sessions without authentication. The vulnerability affects Perl-based web applications using Dancer framework's default session handling; active exploitation is not confirmed but the attack requires only guessing a session ID, making it practically exploitable.
CRLF injection vulnerability in the cookie method (lib/Dancer/Cookie.pm) in Dancer before 1.3114 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.