Lucene search

[email protected]CVE-2008-1393

HistoryMar 20, 2008 - 12:44 a.m.

CVE-2008-1393

2008-03-2000:44:00

CWE-255

[email protected]

web.nvd.nist.gov

plone cms

cve-2008-1393

security vulnerability

admin credentials

network sniffing

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

6.8 Medium

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.7%

JSON

Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network.

Affected configurations

NVD

Node

ploneplone_cmsRange≤3

ploneplone_cmsRange≤3.0.5

CPENameOperatorVersion
plone:plone_cmsplone plone cmsle3
plone:plone_cmsplone plone cmsle3.0.5

CPE	Name	Operator	Version
plone:plone_cms	plone plone cms	le	3
plone:plone_cms	plone plone cms	le	3.0.5

References

plone.org/documentation/how-to/secure-login-without-plain-text-passwords

plone.org/products/plone/roadmap/48?

securityreason.com/securityalert/3754

www.procheckup.com/Hacking_Plone_CMS.pdf

www.securityfocus.com/archive/1/489544/100/0/threaded

exchange.xforce.ibmcloud.com/vulnerabilities/41427

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

6.8 Medium

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.7%

JSON

Related for CVE-2008-1393

nvd1 prion1 github1 ubuntucve1 cvelist1