CVE Daily
← All tags

Tag: Perl

All CVEs associated with "Perl". Page 3/5 • 496 CVEs.

Subscribe CVEs: RSS for “Perl”  ·  RSS (High+Critical only)

About “Perl”

A curated feed of “Perl”-related CVEs appears below. We currently track 496 CVEs for this tag (all time). In the last 365 days, 141 were published. Average CVSS is 7.0 (all time; 7.9 over 365d), and 57% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), CWE-122 - Heap-based Buffer Overflow, CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2020-01-28
Medium

CVE-2014-3230

The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
Critical

CVE-2013-1437

Eval injection vulnerability in the Module-Metadata module before 1.000015 for Perl allows remote attackers to execute arbitrary Perl code via the $Version value.

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2020-01-16
High

CVE-2019-20327

Insecure permissions in cwrapper_perl in Centreon Infrastructure Monitoring Software through 19.10 allow local attackers to gain privileges. (cwrapper_perl is a setuid executable allowing execution o…

CVSS: 7.8 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2019-12-10
Medium

CVE-2013-4184

Perl module Data::UUID from CPAN version 1.219 vulnerable to symlink attacks

CVSS: 5.5 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2019-11-12
Critical

CVE-2010-3438

libpoe-component-irc-perl before v6.32 does not remove carriage returns and line feeds. This can be used to execute arbitrary IRC commands by passing an argument such as "some text\rQUIT" to the 'pri…

CVSS: 9.8 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
2019-11-07
Critical

CVE-2013-1751

TWiki before 5.1.4 allows remote attackers to execute arbitrary shell commands by sending a crafted '%MAKETEXT{}%' parameter value containing Perl backtick characters.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
2019-08-01
High

CVE-2018-20911

cPanel before 70.0.23 allows code execution because "." is in @INC during a Perl syntax check of cpaddonsup (SEC-359).

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2019-07-25
Critical

CVE-2019-1010161

perl-CRYPT-JWT 0.022 and earlier is affected by: Incorrect Access Control. The impact is: bypass authentication. The component is: JWT.pm for JWT security token, line 614 in _decode_jws(). The attack…

CVSS: 9.8 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2019-07-17
Critical

CVE-2019-1010263

Perl Crypt::JWT prior to 0.023 is affected by: Incorrect Access Control. The impact is: allow attackers to bypass authentication by providing a token by crafting with hmac(). The component is: JWT.pm…

CVSS: 9.8 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2018-12-07
Critical

CVE-2018-18314

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Critical

CVE-2018-18313

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive information from process memory.

CVSS: 9.1 CWE: CWE-125 - Out-of-bounds Read View on NVD
Critical

CVE-2018-18311

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2018-12-05
Critical

CVE-2018-18312

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2018-08-26
Critical

CVE-2011-2767

mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2018-06-29
Medium

CVE-2018-10860

perl-archive-zip is vulnerable to a directory traversal in Archive::Zip. It was found that the Archive::Zip module did not properly sanitize paths while extracting zip files. An attacker able to prov…

CVSS: 5.4 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2018-06-20
High

CVE-2018-12558

The parse() method in the Email::Address module through 1.909 for Perl is vulnerable to Algorithmic complexity on specially prepared input, leading to Denial of Service. Prepared special input that c…

CVSS: 7.5 CWE: CWE-407 - Inefficient Algorithmic Complexity View on NVD
2018-06-08
Critical

CVE-2018-9246

The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as used in LedgerSMB through 1.5.x, insufficiently sanitizes or escapes variable values used as part of shell command execution, resulting…

CVSS: 9.8 CWE: CWE-116 - Improper Encoding or Escaping of Output View on NVD
2018-06-07
High

CVE-2018-12015

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mechanism, and overwrite arbitrary files, via an archive file containing a symlink a…

CVSS: 7.5 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2018-04-20
Critical

CVE-2014-0931

Multiple XML external entity (XXE) vulnerabilities in the (1) CCRC WAN Server / CM Server, (2) Perl CC/CQ integration trigger scripts, (3) CMAPI Java interface, (4) ClearCase remote client, and (5) C…

CVSS: 9.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2018-04-17
Critical

CVE-2018-6913

Heap-based buffer overflow in the pack function in Perl before 5.26.2 allows context-dependent attackers to execute arbitrary code via a large item count.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
High

CVE-2018-6798

An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
Critical

CVE-2018-6797

An issue was discovered in Perl 5.18 through 5.26. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written.

CVSS: 9.8 CWE: CWE-787 - Out-of-bounds Write View on NVD
2018-01-08
Medium

CVE-2014-5509

clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$.

CVSS: 5.5 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2017-11-07
Critical

CVE-2008-7319

The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing…

CVSS: 9.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2017-11-01
High

CVE-2017-16248

The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows remote attackers to read arbitrary files if there is a '.' character anywhere in the pathname, which differs from the intended pol…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-09-29
High

CVE-2017-14867

Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers…

CVSS: 8.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2017-09-28
Critical

CVE-2017-12814

Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 on Windows allows attackers to execute arbitrary code via a long en…

CVSS: 9.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2017-09-19
Critical

CVE-2017-12883

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to disclose sensitive information or cause a denial of se…

CVSS: 9.1 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
High

CVE-2017-12837

Heap-based buffer overflow in the S_regatom function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 allows remote attackers to cause a denial of service (out-of-bounds write) v…

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2017-08-08
Critical

CVE-2010-3845

libapache-authenhook-perl 2.00-04 stores usernames and passwords in plaintext in the vhost error log.

CVSS: 9.8 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2017-07-01
Medium

CVE-2017-10789

The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 setting to mean that SSL is optional (even though this setting's documentation has a "your communication with the server will be encr…

CVSS: 5.9 CWE: N/A View on NVD
Critical

CVE-2017-10788

The DBD::mysql module through 4.043 for Perl allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact by triggering (1) ce…

CVSS: 9.8 CWE: CWE-416 - Use After Free View on NVD
2017-06-29
Critical

CVE-2017-10672

Use-after-free in the XML-LibXML module through 2.0129 for Perl allows remote attackers to execute arbitrary code by controlling the arguments to a replaceChild call.

CVSS: 9.8 CWE: CWE-416 - Use After Free View on NVD
2017-06-19
High

CVE-2017-4985

In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, a local authenticated user may potentially escalate their privileges to root due to authorization…

CVSS: 7.8 CWE: CWE-862 - Missing Authorization View on NVD
2017-06-07
Medium

CVE-2015-8326

The IPTables-Parse module before 1.6 for Perl allows local users to write to arbitrary files owned by the current user.

CVSS: 5.5 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2017-06-01
Medium

CVE-2017-6512

Race condition in the rmtree and remove_tree functions in the File-Path module before 2.13 for Perl allows attackers to set the mode on arbitrary files via vectors involving directory-permission loos…

CVSS: 5.9 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2017-05-23
High

CVE-2017-0374

lib/Config/Model.pm in Config-Model (aka libconfig-model-perl) before 2.102 allows local users to gain privileges via a crafted model in the current working directory, related to use of . with the IN…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2017-0373

The gen_class_pod implementation in lib/Config/Model/Utils/GenClassPod.pm in Config-Model (aka libconfig-model-perl) before 2.102 has a dangerous "use lib" line, which allows remote attackers to have…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2017-03-22
Critical

CVE-2017-6972

AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an error in privilege dropping and unnecessarily execute the NfSen Perl code as root, aka AlienVault ID ENG-104945, a different vulne…

CVSS: 9.8 CWE: CWE-273 - Improper Check for Dropped Privileges View on NVD
2017-02-17
Medium

CVE-2016-1249

The DBD::mysql module before 4.039 for Perl, when using server-side prepared statement support, allows attackers to cause a denial of service (out-of-bounds read) via vectors involving an unaligned n…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
2017-02-07
Critical

CVE-2015-8608

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of-bounds read) and possibly execute arbitrary code via a crafted (1) drive lette…

CVSS: 9.8 CWE: CWE-125 - Out-of-bounds Read View on NVD
2016-12-22
High

CVE-2016-9181

perl-Image-Info: When parsing an SVG file, external entity expansion (XXE) was not disabled. An attacker could craft an SVG file which, when processed by an application using perl-Image-Info, could c…

CVSS: 7.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
Critical

CVE-2016-9180

perl-XML-Twig: The option to `expand_external_ents`, documented as controlling external entity expansion in XML::Twig does not work. External entities are always expanded, regardless of the option's…

CVSS: 9.1 CWE: CWE-611 - Improper Restriction of XML External Entity Reference View on NVD
2016-11-29
High

CVE-2016-1251

There is a vulnerability of type use-after-free affecting DBD::mysql (aka DBD-mysql or the Database Interface (DBI) MySQL driver for Perl) 3.x and 4.x before 4.041 when used with mysql_server_prepare…

CVSS: 8.1 CWE: CWE-416 - Use After Free View on NVD
2016-11-22
High

CVE-2015-8978

In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with th…

CVSS: 7.5 CWE: CWE-399 View on NVD
2016-11-10
Critical

CVE-2016-7489

Teradata Virtual Machine Community Edition v15.10's perl script /opt/teradata/gsctools/bin/t2a.pl creates files in /tmp in an insecure manner, this may lead to elevated code execution.

CVSS: 9.8 CWE: CWE-264 View on NVD
2016-10-05
High

CVE-2016-1246

Buffer overflow in the DBD::mysql module before 4.037 for Perl allows context-dependent attackers to cause a denial of service (crash) via vectors related to an error message.

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2016-09-25
Medium

CVE-2016-4748

Perl in Apple OS X before 10.12 allows local users to bypass the taint-mode protection mechanism via a crafted environment variable.

CVSS: 5.3 CWE: CWE-254 View on NVD
2016-08-02
High

CVE-2016-6185

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which might allow local users to execute arbitrary code via a Trojan horse library under…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2016-1238

(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encod…

CVSS: 7.8 CWE: CWE-264 View on NVD
2016-05-25
High

CVE-2015-8853

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2016-04-08
High

CVE-2016-2381

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2016-04-07
High

CVE-2016-1531

Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.

CVSS: 7.0 CWE: CWE-264 View on NVD
2016-01-13
High

CVE-2015-8607

The canonpath function in the File::Spec module in PathTools before 3.62, as used in Perl, does not properly preserve the taint attribute of data, which might allow context-dependent attackers to byp…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2015-10-31
Low

CVE-2015-5667

Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a cr…

CVSS: 2.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2015-10-06
High

CVE-2015-7686

Algorithmic complexity vulnerability in Address.pm in the Email-Address module 1.908 and earlier for Perl allows remote attackers to cause a denial of service (CPU consumption) via a crafted string c…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2015-08-16
High

CVE-2013-7422

Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service…

CVSS: 7.5 CWE: CWE-189 View on NVD
2015-03-21
High

CVE-2015-0898

futomi CGI Cafe MP Form Mail CGI eCommerce before 2.0.12 on Windows allows remote attackers to execute arbitrary Perl code via unspecified vectors.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2015-02-19
High

CVE-2015-1592

Movable Type Pro, Open Source, and Advanced before 5.2.12 and Pro and Advanced 6.0.x before 6.0.7 does not properly use the Perl Storable::thaw function, which allows remote attackers to include and…

CVSS: 7.5 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2015-02-07
Medium

CVE-2015-0871

Cross-site scripting (XSS) vulnerability in Mrs. Shiromuku Perl CGI shiromuku(u1)GUESTBOOK 1.62 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2015-02-01
High

CVE-2015-0868

Unrestricted file upload vulnerability in Mrs. Shiromuku Perl CGI shiromuku(bu2)BBS before 2.91 allows remote attackers to execute arbitrary code by uploading an executable file.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2014-8630

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcompon…

CVSS: 6.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2014-12-08
Medium

CVE-2014-9130

scanner.c in LibYAML 0.1.5 and 0.1.6, as used in the YAML-LibYAML (aka YAML-XS) module for Perl, allows context-dependent attackers to cause a denial of service (assertion failure and crash) via vect…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2014-10-25
Medium

CVE-2014-7180

Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by…

CVSS: 4.6 CWE: CWE-264 View on NVD
2014-10-20
Medium

CVE-2012-5697

The btinstall installation script in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 uses weak permissions (777) for all files in the frameworkgui/ directory, which allows local users t…

CVSS: 4.6 CWE: CWE-264 View on NVD
2014-10-06
Low

CVE-2014-1875

The Capture::Tiny module before 0.24 for Perl allows local users to write to arbitrary files via a symlink attack on a temporary file.

CVSS: 3.6 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
Medium

CVE-2013-7329

The CGI::Application module before 4.50_50 and 4.50_51 for Perl, when run modes are not specified, allows remote attackers to obtain sensitive information (web queries and environment details) via ve…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-09-30
Low

CVE-2014-4330

The Dumper method in Data::Dumper before 2.154, as used in Perl 5.20.1 and earlier, allows context-dependent attackers to cause a denial of service (stack consumption and crash) via an Array-Referenc…

CVSS: 2.1 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2014-07-06
Medium

CVE-2014-4720

Email::Address module before 1.904 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via vectors related to "backtracking i…

CVSS: 5.0 CWE: N/A View on NVD
2014-07-03
Medium

CVE-2014-0477

The parse function in Email::Address module before 1.905 for Perl uses an inefficient regular expression, which allows remote attackers to cause a denial of service (CPU consumption) via an empty quo…

CVSS: 5.0 CWE: N/A View on NVD
2014-06-04
High

CVE-2012-6143

Spoon::Cookie in the Spoon module 0.24 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2012-6142

Session::Cookie in the HTML::EP module 0.2011 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request, which is not p…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2012-6141

The App::Context module 0.01 through 0.968 for Perl does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via a crafted request to (1) App::Sessio…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2014-04-29
Medium

CVE-2013-7284

The PlRPC module, possibly 0.2020 and earlier, for Perl uses the Storable module, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it…

CVSS: 6.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2014-04-27
Medium

CVE-2014-2285

The perl_trapd_handler function in perl/TrapReceiver/TrapReceiver.xs in Net-SNMP 5.7.3.pre3 and earlier, when using certain Perl versions, allows remote attackers to cause a denial of service (snmptr…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2014-04-18
Medium

CVE-2013-4279

imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-02-10
Medium

CVE-2010-4777

The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, 5.14.0, and other versions, when running with debugging enabled, allows context-dependent attackers to cause a denial of service (ass…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2014-01-28
High

CVE-2013-7135

The Proc::Daemon module 0.14 for Perl uses world-writable permissions for a file that stores a process ID, which allows local users to have an unspecified impact by modifying this file.

CVSS: 7.2 CWE: CWE-264 View on NVD
2014-01-26
Medium

CVE-2014-1626

XML External Entity (XXE) vulnerability in MARC::File::XML module before 1.0.2 for Perl, as used in Evergreen, Koha, perl4lib, and possibly other products, allows context-dependent attackers to read…

CVSS: 5.0 CWE: CWE-264 View on NVD
2013-12-12
Critical

CVE-2013-2751

Eval injection vulnerability in frontview/lib/np_handler.pl in the FrontView web interface in NETGEAR ReadyNAS RAIDiator before 4.1.12 and 4.2.x before 4.2.24 allows remote attackers to execute arbit…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-11-23
Medium

CVE-2013-4407

HTTP::Body::Multipart in the HTTP-Body module for Perl (1.07 through 1.22, before 1.23) uses the part of the uploaded file's name after the first "." character as the suffix of a temporary file, whic…

CVSS: 6.8 CWE: N/A View on NVD
2013-08-19
Medium

CVE-2013-2145

The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a "special u…

CVSS: 4.4 CWE: CWE-20 - Improper Input Validation View on NVD
2013-03-14
High

CVE-2013-1667

The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.

CVSS: 7.5 CWE: CWE-399 View on NVD
2013-01-23
High

CVE-2013-0209

lib/MT/Upgrade.pm in mt-upgrade.cgi in Movable Type 4.2x and 4.3x through 4.38 does not require authentication for requests to database-migration functions, which allows remote attackers to conduct e…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2013-01-04
High

CVE-2012-6329

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket n…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2012-12-24
Critical

CVE-2012-5932

Eval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code…

CVSS: 10.0 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2012-12-21
Medium

CVE-2011-2728

The bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, whic…

CVSS: 4.3 CWE: N/A View on NVD
2012-12-18
High

CVE-2012-5195

Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial…

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2012-12-05
Low

CVE-2009-2899

The monitor perl script in the Sybase database plug-in in SpringSource Hyperic HQ before 4.3 allows local users to obtain the database password by listing the process and its arguments.

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2012-11-21
Medium

CVE-2012-5526

CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applicati…

CVSS: 5.0 CWE: CWE-16 View on NVD
2012-10-11
Medium

CVE-2012-5377

Untrusted search path vulnerability in the installation functionality in ActivePerl 5.16.1.1601, when installed in the top-level C:\ directory, allows local users to gain privileges via a Trojan hors…

CVSS: 6.0 CWE: N/A View on NVD
2012-10-07
Low

CVE-2011-4363

ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS.

CVSS: 2.6 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2012-09-11
Medium

CVE-2012-2981

Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter.

CVSS: 6.0 CWE: CWE-20 - Improper Input Validation View on NVD
2012-09-09
Medium

CVE-2012-1152

Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and perl-YAML-LibYAML) module 0.38 for Perl allow remote attackers to cause a denial…

CVSS: 5.0 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
Medium

CVE-2012-1151

Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (proce…

CVSS: 5.0 CWE: CWE-134 - Use of Externally-Controlled Format String View on NVD
2012-06-27
Low

CVE-2012-2451

The Config::IniFiles module before 2.71 for Perl creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. NOTE: some of these detai…

CVSS: 3.6 CWE: N/A View on NVD
2012-02-25
Medium

CVE-2012-0453

Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of…

CVSS: 5.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2012-01-13
Low

CVE-2011-5060

The par_mktmpdir function in the PAR module before 1.003 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which a…

CVSS: 3.3 CWE: CWE-264 View on NVD
Low

CVE-2011-4114

The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory,…

CVSS: 3.3 CWE: CWE-264 View on NVD
High

CVE-2011-3597

Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2011-2939

Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service…

CVSS: 5.1 CWE: CWE-189 View on NVD
2012-01-06
Medium

CVE-2011-4616

Cross-site scripting (XSS) vulnerability in the HTML-Template-Pro module before 0.9507 for Perl allows remote attackers to inject arbitrary web script or HTML via template parameters, related to impr…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2011-10-10
Medium

CVE-2011-3599

The Crypt::DSA (aka Crypt-DSA) module 1.17 and earlier for Perl, when /dev/random is absent, uses the Data::Random module, which makes it easier for remote attackers to spoof a signature, or determin…

CVSS: 5.8 CWE: CWE-310 View on NVD
2011-09-23
High

CVE-2011-2766

The FCGI (aka Fast CGI) module 0.70 through 0.73 for Perl, as used by CGI::Fast, uses environment variable values from one request during processing of a later request, which allows remote attackers…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
2011-09-14
Medium

CVE-2011-2201

The Data::FormValidator module 4.66 and earlier for Perl, when untaint_all_constraints is enabled, does not properly preserve the taint attribute of data, which might allow remote attackers to bypass…

CVSS: 4.3 CWE: CWE-264 View on NVD
2011-06-30
Low

CVE-2009-5081

The (1) config.guess, (2) contrib/groffer/perl/groffer.pl, and (3) contrib/groffer/perl/roff2.pl scripts in GNU troff (aka groff) 1.21 and earlier use an insufficient number of X characters in the te…

CVSS: 3.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2011-05-13
Medium

CVE-2011-0633

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, doe…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2011-0761

Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) r…

CVSS: 5.0 CWE: N/A View on NVD
2011-04-11
Medium

CVE-2011-1487

The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon pro…

CVSS: 5.0 CWE: CWE-264 View on NVD
2011-02-09
Critical

CVE-2011-0923

The client in HP Data Protector does not properly validate EXEC_CMD arguments, which allows remote attackers to execute arbitrary Perl code via a crafted command, related to the "local bin directory."

CVSS: 10.0 CWE: CWE-20 - Improper Input Validation View on NVD
2011-01-14
Medium

CVE-2010-4334

The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote at…

CVSS: 4.0 CWE: CWE-310 View on NVD
2010-10-14
Low

CVE-2010-2389

Unspecified vulnerability in the Perl component in Oracle Database Server 11.2.0.1, 11.1.0.7, 10.2.0.3, 10.2.0.4, and 10.1.0.5; and Fusion Middleware 11.1.1.1.0 and 11.1.1.2.0; allows local users to…

CVSS: 1.0 CWE: N/A View on NVD
2010-10-06
Medium

CVE-2010-3433

The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not prope…

CVSS: 6.0 CWE: CWE-264 View on NVD
2010-09-20
Medium

CVE-2010-3476

Open Ticket Request System (OTRS) 2.3.x before 2.3.6 and 2.4.x before 2.4.8 does not properly handle the matching of Perl regular expressions against HTML e-mail messages, which allows remote attacke…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2010-07-06
Medium

CVE-2010-2253

lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a . (dot) character, which allows remote servers to create or overwrite files via (1) a 3xx redirect to…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2010-06-21
High

CVE-2010-1168

The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code,…

CVSS: 7.5 CWE: CWE-264 View on NVD
2010-05-19
High

CVE-2010-1447

The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 be…

CVSS: 8.5 CWE: CWE-264 View on NVD
High

CVE-2010-1169

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedure…

CVSS: 8.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2010-04-20
Medium

CVE-2010-1158

Integer overflow in the regular expression engine in Perl 5.8.x allows context-dependent attackers to cause a denial of service (stack consumption and application crash) by matching a crafted regular…

CVSS: 5.0 CWE: CWE-189 View on NVD
2009-12-10
Critical

CVE-2009-3845

The port-3443 HTTP server in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostname parameter to…

CVSS: 10.0 CWE: N/A View on NVD