Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely.

The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.

Predicable session ids could allow an attacker to gain access to systems.

CVE Database V5

Detailed information about CVE-2025-40923: CWE-340 Generation of Predictable Numbers or Identifiers in MIYAGAWA Plack::Middleware::Session affecting MIYAGAWA Pl

CVE-2025-40923: CWE-340 Generation of Predictable Numbers or Identifiers in MIYAGAWA Plack::Middleware::Session - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-40923: CWE-340 Generation of Predictable Numbers or Identifiers in MIYAGAWA Plack::Middleware::Session

This vulnerability exists in Digisol DG-GR6821AC Router due to use of default admin credentials at its web management interface. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the hardcoded default credentials stored in the firmware of the targeted device.

Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted device.

CVE-2025-53758 is a medium-severity vulnerability affecting the Digisol XPON ONU Wi-Fi Router model DG-GR6821AC, specifically version V3.2.XX of its firmware. The root cause of this vulnerability is the use of default administrative credentials that are hardcoded and stored in cleartext within the device's firmware. An attacker with physical access to the device can extract the firmware image and reverse engineer the binary data to retrieve these default credentials. This vulnerability is categorized under CWE-312, which pertains to the cleartext storage of sensitive information. Exploiting this flaw does not require network access or user interaction, but physical access is mandatory. Once the attacker obtains the default admin credentials, they can gain unauthorized access to the router's web management interface, potentially allowing them to alter device configurations, intercept or redirect network traffic, or further compromise connected devices. The CVSS 4.0 vector indicates the attack vector is physical (AV:P), with low attack complexity (AC:L), no privileges or user interaction required, but with high impact on confidentiality (VC:H) and no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been released yet. This vulnerability highlights poor security design in embedded device firmware, where sensitive credentials are stored insecurely and not randomized or protected by encryption or secure storage mechanisms.

Detailed information about CVE-2025-53758: CWE-312: Cleartext Storage of Sensitive Information in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC) affecting Digisol 

CVE-2025-53758: CWE-312: Cleartext Storage of Sensitive Information in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC) - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-53758: CWE-312: Cleartext Storage of Sensitive Information in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC)

This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection. 

Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device.

CVE-2025-53757 is a high-severity vulnerability affecting the Digisol XPON ONU Wi-Fi Router model DG-GR6821AC, specifically version V3.2.XX. The root cause of this vulnerability lies in the improper configuration of session cookies used by the router's web interface. The affected cookies lack the 'Secure' attribute, which is critical for ensuring that cookies are only transmitted over encrypted HTTPS connections. Additionally, the HttpOnly flag is also misconfigured or absent, increasing the risk of client-side script access to these cookies. Because the router's web interface transmits session cookies over unencrypted HTTP connections, a remote attacker can intercept these cookies via network traffic monitoring or man-in-the-middle (MITM) attacks. By capturing these sensitive session cookies, an attacker could potentially hijack the administrative session of the router, gaining unauthorized access to the device's management interface. This could lead to unauthorized configuration changes, network eavesdropping, or further compromise of connected devices. The vulnerability is classified under CWE-614 (Sensitive Cookie Without 'Secure' Attribute) and CWE-1004 (Improper Control of Generation of Code), highlighting the security misconfiguration and potential for code-related exploitation. The CVSS v4.0 score of 8.7 (high severity) reflects the vulnerability's network attack vector, low complexity, no required privileges or user interaction, and high impact on confidentiality. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk due to the ease of exploitation and the sensitive nature of router management interfaces. No patches have been linked yet, indicating that affected users should apply mitigations promptly once available.

Detailed information about CVE-2025-53757: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC) 

CVE-2025-53757: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC) - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-53757: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC)

Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Privilege Escalation. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3.

CVE-2025-52836 is a critical security vulnerability identified in Unity Business Technology Pty Ltd's product, The E-Commerce ERP, affecting versions up to 2.1.1.3. The vulnerability is classified under CWE-266, which pertains to Incorrect Privilege Assignment. This flaw allows an attacker to escalate privileges within the ERP system without requiring any prior authentication or user interaction. The CVSS v3.1 base score of 9.8 reflects the severity of this vulnerability, indicating that it can be exploited remotely (AV:N) with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning an attacker can gain full control over the system, access sensitive business data, modify or delete records, and disrupt ERP operations. The vulnerability arises from improper assignment or enforcement of access controls within the ERP application, allowing unauthorized users to perform actions reserved for privileged roles. Since the ERP system is a critical business application managing e-commerce and enterprise resource planning functions, exploitation could lead to severe operational disruptions, financial losses, and data breaches. No patches or fixes have been published yet, and no known exploits are reported in the wild as of the publication date. However, the critical nature of the flaw and the ease of exploitation make it a high-risk issue that requires immediate attention from affected organizations.

Detailed information about CVE-2025-52836: CWE-266 Incorrect Privilege Assignment in Unity Business Technology Pty Ltd The E-Commerce ERP affecting Unity Busine

CVE-2025-52836: CWE-266 Incorrect Privilege Assignment in Unity Business Technology Pty Ltd The E-Commerce ERP - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-52836: CWE-266 Incorrect Privilege Assignment in Unity Business Technology Pty Ltd The E-Commerce ERP

A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the  ciwweb.pl http://ciwweb.pl/  Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands.

Detailed information about CVE-2025-34300: CWE-20 Improper Input Validation in Sawtooth Software Lighthouse Studio affecting Sawtooth Software Lighthouse Studio

CVE-2025-34300: CWE-20 Improper Input Validation in Sawtooth Software Lighthouse Studio

CVE-2025-34300: CWE-20 Improper Input Validation in Sawtooth Software Lighthouse Studio

Description

Technical Details

Related Threats

CVE-2025-40923: CWE-340 Generation of Predictable Numbers or Identifiers in MIYAGAWA Plack::Middleware::Session

CVE-2025-53758: CWE-312: Cleartext Storage of Sensitive Information in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC)

CVE-2025-53757: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in Digisol XPON ONU Wi-Fi Router (DG-GR6821AC)

CVE-2025-52836: CWE-266 Incorrect Privilege Assignment in Unity Business Technology Pty Ltd The E-Commerce ERP

CVE-2025-52819: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in pakkemx Pakke Envíos

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility