CVE Catalog

CVE-2009-10007

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

10th percentile — higher than 10% of all known CVEs

Summary

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl are susceptible to session fixation attacks. The plugin does not automatically change the session id after authentication, allowing an attacker to impersonate the victim.

Risk Assessment

The organization may be exposed to session hijacking of users, leading to unauthorized access to resources. An attacker with the session id can take control of the victim's account.

Recommendation

It is recommended to update Catalyst::Plugin::Authentication to version 0.10_027 or later to mitigate the risk of session fixation attacks. Additionally, implementing mechanisms to change the session id after authentication is advisable.

Original NVD description (English source)

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS