CVE-2009-10007

CRITICAL

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks

Title source: cna

Description

Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim.

References (5)

Core 5

Core References

https://metacpan.org/pod/Catalyst::Plugin::Session#change_session_id

Release Notes release-notes

https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_027/changes

Patch patch

https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b1385ea87a2491b64f33169222af19982d0acce3.patch

https://metacpan.org/pod/Plack::Middleware::Session#change_id

Mailing List

http://www.openwall.com/lists/oss-security/2026/06/09/10

Scores

CVSS v3 9.1

EPSS 0.0040

EPSS Percentile 31.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-384

Status published

Products (1)

ETHER/Catalyst::Plugin::Authentication < 0.10_027

Published Jun 09, 2026

Tracked Since Jun 09, 2026