CVE-2024-58134

Name of the Vulnerable Software and Affected Versions Mojolicious versions 0.999922 through 9.39

Description The issue concerns the use of a hard-coded string or the application's class name as a HMAC session secret by default in Mojolicious for Perl. This predictable default secret can be exploited to forge session cookies, allowing an attacker to tamper with or hijack another user's session if they know or guess the secret.

Recommendations For Mojolicious versions 0.999922 through 9.39, consider changing the default HMAC session secret to a unique, randomly generated value to prevent session cookie forgery. As a temporary workaround, restrict access to sensitive user sessions until a secure secret can be implemented.