The Kossy module before 0.60 for Perl allows JSON hijacking because of X-Requested-With mishandling.
The vulnerability classified as CWE-346 (Origin Validation Error) involves the Kossy module not properly verifying the X-Requested-With header in HTTP requests. The lack of this verification enables an attacker to perform a JSON hijacking attack, in which a malicious website can intercept JSON responses returned by an application built on the Kossy module. The attack requires no authentication or user interaction (according to CVSS vector: PR:N, UI:N).
An attacker can gain unauthorized access to sensitive data returned in JSON responses (confidentiality breach), and depending on the application architecture, may also affect the integrity and availability of the system.
The Kossy module should be updated to version 0.60 or later. Detailed information is available in the project changelog on metacpan.org and in pull request #16 in the Kossy project GitHub repository.
Kossy module for Perl in versions prior to 0.60.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H