Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id
Vulnerability Description
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Amon2::Plugin::Web::CSRFDefender versions before 7.00 were part of Amon2, which was vulnerable to insecure session ids due to CVE-2025-15604. Note that the author has deprecated this module.
CVSS Information
N/A
Vulnerability Type
可预测问题
Vulnerability Title
Amon2::Plugin::Web::CSRFDefender 安全漏洞
Vulnerability Description
Amon2::Plugin::Web::CSRFDefender是TOKUHIROM个人开发者的一个Web安全防护插件。 Amon2::Plugin::Web::CSRFDefender 7.00版本至7.03版本存在安全漏洞,该漏洞源于生成不安全的会话ID,可能导致会话劫持。
CVSS Information
N/A
Vulnerability Type
N/A