CVE-2008-1396
EPSS 0.33%Plone credentials stored in session cookie
Published: 5/1/2022Modified: 11/8/2023
Description
Plone CMS 3.1.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.
Affected packages (1)
- PyPI/plonefrom 0, <= 3.1.7
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2008-1396
- WEBhttp://securityreason.com/securityalert/3754
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/41421
- WEBhttps://github.com/plone/Plone
- WEBhttp://www.procheckup.com/Hacking_Plone_CMS.pdf
- WEBhttp://www.securityfocus.com/archive/1/489544/100/0/threaded