CVE-2008-1393

Advisory

Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords
• http://plone.org/products/plone/roadmap/48?
• http://www.procheckup.com/Hacking_Plone_CMS.pdf
• http://securityreason.com/securityalert/3754
• https://exchange.xforce.ibmcloud.com/vulnerabilities/41427
• http://www.securityfocus.com/archive/1/489544/100/0/threaded
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1393