CRITICAL🇵🇱 Wersja polska

CVE-2025-15578

CVSS 9.8v3.1pub. 2026-02-16upd. 2026-03-10

Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.

🤖 AI Analysis
How it works

The session identifier is generated based on three elements: server system time, the result of the built-in rand() function, and process identifier (PID). The system time is publicly available in HTTP response headers, Perl's rand() function is not cryptographically secure, and the PID can be guessed or determined by brute-force. The combination of these weak entropy sources (CWE-338 — use of cryptographically weak pseudo-random number generator) makes the space of possible session identifiers drastically limited and predictable.

Impact

An unauthenticated remote attacker can guess or recreate valid session identifiers, leading to session hijacking of logged-in users and consequently unauthorized access to their accounts and data.

Mitigation & patch

Apply patches available from the vendor according to the references. Until updating, it is recommended to consider implementing an external session management mechanism based on a cryptographically secure random number generator.

Who is affected

Teejay Maypole for Perl in versions 2.10 to 2.13 inclusive

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Teejay Maypole

    APP
    Teejay
    2.1112.1212.10 – 2.13
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References