PT-2026-36091

Dancer::Session::Abstract versions through 1.3522 for Perl generates session ids insecurely. The session id is generated from summing the character codepoints of the absolute pathname with the process id, the epoch time and calls to the built-in rand function to return a number between 0 and...

PT-2026-32282

Solstice::Session versions through 1440 for Perl generates session ids insecurely. The generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand function and the process id. The same method is used in the generateID method in...

EUVD-2026-16939

HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids. HTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will com...

CVE-2025-9316

N-central 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4...

EUVD-2021-10076

Malware in sbrugna...

EUVD-2023-32483

Malicious code in bioql PyPI...

CVE-2025-40925 Starch versions 0.14 and earlier generate session ids insecurely

Starch versions 0.14 and earlier generate session ids insecurely. The default session id generator returns a SHA-1 hash seeded with a counter, the epoch time, the built-in rand function, the PID, and internal Perl reference addresses. The PID will come from a small set of numbers, and the epoch...

CVE-2025-7770 Predictable Seed in Pseudo-Random Number Generator (PRNG) in Tigo Energy Cloud Connect Advanced

Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID...

CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an...

PT-2025-29908 · Catalyst +1 · Catalyst-Plugin-Session +1

Name of the Vulnerable Software and Affected Versions: Catalyst::Plugin::Session versions prior to 0.44 Description: The session ID generation process uses low-entropy data, including a counter, epoch time, the rand function, the process ID PID, and the Catalyst context. The rand function is...

CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an...

Session fixation

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an...

CVE-2023-28862

An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session ID generation in the AuthBasic handler and incorrect failure handling during a password check allow attackers to bypass 2FA verification. Any plugin that tries to deny session creation after the store step does not deny an...

revive-adserver 安全特征问题漏洞

revive-adserver is an open source ad server licensed under the GNU General Public License. A security signature issue vulnerability exists in revive-adserver, which stems from a vulnerability in revive-adserver's generation of session IDs, based on the password-insecure uniqid PHP function...

ZeroShell 'cgi-bin/kerbynet' - Local File Disclosure

Introduction to the PoC : ====================================================================== In this distribution, the managment website is a binary file named "kerbynet" interpreted in cgi-bin directory here : /cdrom/usr/local/apache2/cgi-bin/kerbynet So all url look like this :...