CVE-2008-1396
EPSS 0.33%Plone credentials stored in session cookie
發布日:2022/5/1修改日:2023/11/8
描述
Plone CMS 3.1.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.
受影響套件(1)
- PyPI/plonefrom 0, <= 3.1.7
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2008-1396
- WEBhttp://securityreason.com/securityalert/3754
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/41421
- WEBhttps://github.com/plone/Plone
- WEBhttp://www.procheckup.com/Hacking_Plone_CMS.pdf
- WEBhttp://www.securityfocus.com/archive/1/489544/100/0/threaded