CVE-2018-25160

Medium CVSS: 6.5

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend.

For example, if an application uses memcached for session storage, then it may be possible for a remote attacker to inject memcached commands in the session id value.

Vendor

Tokuhirom

Product

Http\

CWE

CWE-20

Yayın Tarihi

2026-02-27 21:16:03

Güncelleme

2026-03-18 19:25:49

Source Identifier

9b29abf9-4ab0-4765-b253-1875cd9b441e

KEV Date Added

Kategoriler

CWE-20 Http\ MEDIUM Tokuhirom 2026

Referanslar

https://github.com/tokuhirom/HTTP-Session2/commit/813838f6d08034b6a265a70e53b59b941b5d3e6d.patch https://metacpan.org/pod/Cache::Memcached::Fast::Safe https://metacpan.org/release/TOKUHIROM/HTTP-Session2-1.10/source/Changes http://www.openwall.com/lists/oss-security/2026/02/27/13

Benzer Kayıtlar

Critical

CVE-2025-15604

Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions. In versions 6.…

Critical

CVE-2026-3257

UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library. UnQLite for Perl emb…

Medium

CVE-2026-3255

HTTP::Session2 versions before 1.12 for Perl for Perl may generate weak session ids using the rand() function. The HTTP…