The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via vectors related to the dump_html function.
Fixed important bug introducted in 4.02 in which a mode_param set in a sub-class would have been ignored. A new automated test was added to prevent this regression in the future.