CVE-2008-1396 — Plone credentials stored in session cookie

Description

Plone CMS 3.1.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.

How to fix CVE-2008-1396

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

PyPI/plone—no fix listed

Is CVE-2008-1396 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 3.1.7

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-1396
WEBsecurityreason.com/securityalert/3754
WEBexchange.xforce.ibmcloud.com/vulnerabilities/41421
WEBgithub.com/plone/Plone
WEBwww.procheckup.com