Mojo::DOM did not correctly parse <script> tags.

• https://github.com/mojolicious/mojo/commit/6f195d85db6756022d3599f7d2634975688c9550
• https://github.com/mojolicious/mojo/issues/2014
• https://github.com/mojolicious/mojo/issues/2015

Small sessions could be used as part of a brute-force attack to decode the session secret.

• https://github.com/mojolicious/mojo/pull/1791

A bug in format detection can potentially be exploited for a DoS attack.

• https://github.com/mojolicious/mojo/issues/1736
• https://github.com/mojolicious/mojo/commit/a0c4576ffb11c235088550de9ba7ac4196e1953c

Mojo::UserAgent was not checking peer SSL certificates by default.

• https://github.com/mojolicious/mojo/pull/1226
• https://github.com/mojolicious/mojo/commit/d3cbbad890673612fdbdea63fdd522b516f6104c

GET requests with embedded backslashes can be used to access local files on Windows hosts

• https://github.com/mojolicious/mojo/pull/1217
• https://github.com/mojolicious/mojo/commit/23ebe051d9378f0f122e3c908845fc0c2cae0106

Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain.

• https://github.com/mojolicious/mojo/pull/1192
• https://github.com/mojolicious/mojo/issues/1185
• https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149

Directory traversal on Windows

• https://github.com/mojolicious/mojo/issues/738
• https://github.com/mojolicious/mojo/commit/9ffa38fca73a9ddee91cbc70e0696268d500edde

Context sensitivity of method param could lead to parameter injection attacks.

• https://github.com/mojolicious/mojo/commit/a815d4797145f872ef6e9f1270841eda1d410afb

Directory traversal vulnerability in Path.pm in Mojolicious before 1.16 allows remote attackers to read arbitrary files via a %2f..%2f (encoded slash dot dot slash) in a URI.

• https://github.com/mojolicious/mojo/commit/b09854988c5b5b6a2ba53cc8661c4b2677da3818
• https://www.cvedetails.com/cve/CVE-2011-1589/

Mojolicious before 0.999927 does not properly implement HMAC-MD5 checksums, which has unspecified impact and remote attack vectors.

• http://cpansearch.perl.org/src/KRAIH/Mojolicious-1.20/Changes
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622952
• http://www.debian.org/security/2011/dsa-2239

Commands.pm in Mojolicious before 0.999928 does not properly perform CGI environment detection, which has unspecified impact and remote attack vectors.

• https://github.com/kraih/mojo/commit/b3a1fb453eda447c0bb082cd9eed81bb75a7564a
• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622952
• https://github.com/kraih/mojo/commit/aa7c8da54b1ebd4ccb64aa66dede7b7cdb381c44
• http://cpansearch.perl.org/src/KRAIH/Mojolicious-1.20/Changes
• http://www.debian.org/security/2011/dsa-2239

Cross-site scripting (XSS) vulnerability in the link_to helper in Mojolicious before 1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

• http://cpansearch.perl.org/src/KRAIH/Mojolicious-1.20/Changes
• http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060122.html
• http://www.debian.org/security/2011/dsa-2239
• http://www.securityfocus.com/bid/47713
• https://exchange.xforce.ibmcloud.com/vulnerabilities/67257