{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-29T05:23:17.002","vulnerabilities":[{"cve":{"id":"CVE-2024-58134","sourceIdentifier":"9b29abf9-4ab0-4765-b253-1875cd9b441e","published":"2025-05-03T16:15:19.310","lastModified":"2025-10-20T20:15:36.697","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as an HMAC session cookie secret by default.\n\nThese predictable default secrets can be exploited by an attacker to forge session cookies.  An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user’s session."},{"lang":"es","value":"Las versiones de Mojolicious de la 0.999922 a la 9.39 para Perl utilizan una cadena de código fijo, o el nombre de la clase de la aplicación, como secreto de sesión HMAC por defecto. Estos secretos predeterminados predecibles pueden explotarse para falsificar cookies de sesión. Un atacante que conozca o adivine el secreto podría calcular firmas HMAC válidas para la cookie de sesión, lo que le permitiría manipular o secuestrar la sesión de otro usuario."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2}]},"weaknesses":[{"source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","type":"Secondary","description":[{"lang":"en","value":"CWE-321"},{"lang":"en","value":"CWE-331"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mojolicious:mojolicious:*:*:*:*:*:perl:*:*","versionStartIncluding":"0.999922","versionEndIncluding":"9.40","matchCriteriaId":"007066BB-83B9-4F4C-BAAB-261837197373"}]}]}],"references":[{"url":"https://docs.mojolicious.org/Mojolicious/Guides/FAQ#What-does-Your-secret-passphrase-needs-to-be-changed-mean","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://github.com/hashcat/hashcat/pull/4090","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/mojolicious/mojo/pull/1791","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/mojolicious/mojo/pull/2200","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Issue Tracking","Patch"]},{"url":"https://github.com/mojolicious/mojo/pull/2252","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://lists.debian.org/debian-perl/2025/05/msg00016.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://lists.debian.org/debian-perl/2025/05/msg00017.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://lists.debian.org/debian-perl/2025/05/msg00018.html","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e"},{"url":"https://medium.com/securing/baking-mojolicious-cookies-revisited-a-case-study-of-solving-security-problems-through-security-by-13da7c225802","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Third Party Advisory"]},{"url":"https://metacpan.org/release/SRI/Mojolicious-9.39/source/lib/Mojolicious.pm#L51","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Product"]},{"url":"https://www.synacktiv.com/publications/baking-mojolicious-cookies","source":"9b29abf9-4ab0-4765-b253-1875cd9b441e","tags":["Exploit"]}]}}]}