/ 
Mojolicious-Plugin-Web-Auth-0.17
⭐ Starred 22
Security Advisories (1)
CVE-2026-9733 (2026-06-23)

Mojolicious::Plugin::Web::Auth::OAuth2 versions through 0.17 for Perl have an insecure default state parameter. When no state generator is specified in the constructor, the module defaults to using a SHA-1 hash of predictable and low-entropy sources, including the epoch time (which is leaked via the HTTP Date header) and a call to Perl's built-in rand function. A predictable state allows an attacker to hijack another user's session through cross site request forgery (CSRF).

Changes for version 0.17 - 2019-04-21

  • merged PR #35. thanks Grinnz@github

Documentation

README.md

Modules

Mojolicious::Plugin::Web::Auth
Authentication plugin for Mojolicious

Provides

Mojolicious::Plugin::Web::Auth::Base
in lib/Mojolicious/Plugin/Web/Auth/Base.pm
Mojolicious::Plugin::Web::Auth::OAuth
in lib/Mojolicious/Plugin/Web/Auth/OAuth.pm
Mojolicious::Plugin::Web::Auth::OAuth2
in lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm
Mojolicious::Plugin::Web::Auth::Site::Dropbox
in lib/Mojolicious/Plugin/Web/Auth/Site/Dropbox.pm
Mojolicious::Plugin::Web::Auth::Site::Facebook
in lib/Mojolicious/Plugin/Web/Auth/Site/Facebook.pm
Mojolicious::Plugin::Web::Auth::Site::Github
in lib/Mojolicious/Plugin/Web/Auth/Site/Github.pm
Mojolicious::Plugin::Web::Auth::Site::Google
in lib/Mojolicious/Plugin/Web/Auth/Site/Google.pm
Mojolicious::Plugin::Web::Auth::Site::Instagram
in lib/Mojolicious/Plugin/Web/Auth/Site/Instagram.pm
Mojolicious::Plugin::Web::Auth::Site::Twitter
in lib/Mojolicious/Plugin/Web/Auth/Site/Twitter.pm
Mojolicious::Plugin::Web::Auth::Site::Yandex
in lib/Mojolicious/Plugin/Web/Auth/Site/Yandex.pm

Examples

Other files