ID CVE-2008-1396
Summary Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.
References
Vulnerable Configurations
  • cpe:2.3:a:plone:plone_cms
    cpe:2.3:a:plone:plone_cms
CVSS
Base: 4.3 (as of 20-03-2008 - 11:36)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
refmap via4
bugtraq 20080313 PR08-02: Plone CMS Security Research - the Art of Plowning
misc http://www.procheckup.com/Hacking_Plone_CMS.pdf
sreason 3754
xf plone-hmacsha1-mitm(41421)
Last major update 11-10-2008 - 01:51
Published 19-03-2008 - 20:44
Last modified 11-10-2018 - 16:33
Back to Top