CVE-2008-1396

UNKNOWN

Plone CMS 3

Published Mar 20, 2008

Modified 1 years ago

Details

Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.

References

ADVISORYhttp://securityreason.com/securityalert/3754 WEBhttp://www.procheckup.com/Hacking_Plone_CMS.pdf WEBhttp://www.securityfocus.com/archive/1/489544/100/0/threaded WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/41421 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2008-1396

CVSS Analysis

CVSS v2.0

4.3

Exploitability

Access Vector

NetworkAV:N

Access Complexity

MediumAC:M

Authentication

NoneAu:N

Impact

Confidentiality

PartialC:P

Integrity

NoneI:N

Availability

NoneA:N

4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N

Ecosystems

Timeline

PublishedMar 20, 2008

ModifiedAug 7, 2024