Information Exposure

Affecting plone package, versions [,3.0.0)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

plone is a user friendly and extensible Content Management System running on top of Python and Zope.

Affected versions of this package are vulnerable to Information Exposure. It places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes it easier for remote attackers to obtain access by sniffing the network.

Remediation

Upgrade plone to version 3.0.0 or higher.

References

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2008-1394
CWE
CWE-255
Snyk ID
SNYK-PYTHON-PLONE-40790
Disclosed
20 Mar, 2008
Published
17 Jun, 2018