ID CVE-2008-1394
Summary Plone CMS before 3 places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes it easier for remote attackers to obtain access by sniffing the network.
References
Vulnerable Configurations
  • cpe:2.3:a:plone:plone_cms:2.0.5
    cpe:2.3:a:plone:plone_cms:2.0.5
  • cpe:2.3:a:plone:plone_cms:2.1.2
    cpe:2.3:a:plone:plone_cms:2.1.2
  • cpe:2.3:a:plone:plone_cms:2.1.3:rc1
    cpe:2.3:a:plone:plone_cms:2.1.3:rc1
  • cpe:2.3:a:plone:plone_cms:2.5
    cpe:2.3:a:plone:plone_cms:2.5
  • cpe:2.3:a:plone:plone_cms:2.5:beta1
    cpe:2.3:a:plone:plone_cms:2.5:beta1
  • cpe:2.3:a:plone:plone_cms:2.5:beta2
    cpe:2.3:a:plone:plone_cms:2.5:beta2
  • cpe:2.3:a:plone:plone_cms:2.5.1
    cpe:2.3:a:plone:plone_cms:2.5.1
CVSS
Base: 7.5 (as of 20-03-2008 - 11:31)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
refmap via4
bugtraq 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning
confirm http://plone.org/about/security/overview/security-overview-of-plone/
misc http://www.procheckup.com/Hacking_Plone_CMS.pdf
sreason 3754
xf plone-accookie-mitm(41425)
Last major update 15-10-2009 - 00:00
Published 19-03-2008 - 20:44
Last modified 11-10-2018 - 16:33
Back to Top