Vulnerability Details : CVE-2008-1396
Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network.
Exploit prediction scoring system (EPSS) score for CVE-2008-1396
Probability of exploitation activity in the next 30 days: 0.38%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 69 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2008-1396
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2008-1396
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-1396
-
http://www.procheckup.com/Hacking_Plone_CMS.pdf
Not Found
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/41421
Plone HMAC-SHA1 value man-in-the-middle CVE-2008-1396 Vulnerability Report
-
http://securityreason.com/securityalert/3754
Plone CMS Security Research - the Art of Plowning - CXSecurity.com
- http://www.securityfocus.com/archive/1/489544/100/0/threaded
Products affected by CVE-2008-1396
- cpe:2.3:a:plone:plone_cms:*:*:*:*:*:*:*:*