HIGH

GHSA-593c-j348-f3gv

Plone Improper Session Management

Details

Plone CMS before 3, places a base64 encoded form of the username and password in the `__ac` cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 0 Fixed in: 3.0

Fix pip install --upgrade 'plone>=3.0'

References

https://nvd.nist.gov/vuln/detail/CVE-2008-1393 [ADVISORY]
https://exchange.xforce.ibmcloud.com/vulnerabilities/41427 [WEB]
https://github.com/plone/Plone [PACKAGE]
http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords [WEB]
http://plone.org/products/plone/roadmap/48? [WEB]
http://securityreason.com/securityalert/3754 [WEB]
http://www.procheckup.com/Hacking_Plone_CMS.pdf [WEB]
http://www.securityfocus.com/archive/1/489544/100/0/threaded [WEB]