MEDIUM

GHSA-hjp5-hv33-q58g

Plone credentials stored in session cookie

Details

Plone CMS 3.1.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / plone

Introduced in: 0

No fixed version published yet for plone (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2008-1396 [ADVISORY]
https://exchange.xforce.ibmcloud.com/vulnerabilities/41421 [WEB]
https://github.com/plone/Plone [WEB]
http://securityreason.com/securityalert/3754 [WEB]
http://www.procheckup.com/Hacking_Plone_CMS.pdf [WEB]
http://www.securityfocus.com/archive/1/489544/100/0/threaded [WEB]