CyberSec.Space Logo
Back to CVE Browser

CVE-2008-1393

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.1080%
EPSS Percentile29.28th
PublishedMar 20, 2008
Last ModifiedApr 23, 2026

Vulnerability Description

Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network.

Affected Platforms (CPE)

πŸ“¦
Plone

Plone Cms

<= 3
πŸ“¦
Plone

Plone Cms

<= 3.0.5

References & Advisories

πŸ”— http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords
πŸ”— http://plone.org/products/plone/roadmap/48?
πŸ”— http://securityreason.com/securityalert/3754
πŸ”— http://www.procheckup.com/Hacking_Plone_CMS.pdf
πŸ”— http://www.securityfocus.com/archive/1/489544/100/0/threaded
πŸ”— https://exchange.xforce.ibmcloud.com/vulnerabilities/41427
πŸ”— http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords
πŸ”— http://plone.org/products/plone/roadmap/48?

Related Vulnerabilities

CVE-2021-339268.8

An issue in Plone CMS v. 5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5...

CVE-2008-13957.5

Plone CMS does not record users' authentication states, and implements the logout feature solely on the client side, which makes i...

CVE-2008-13947.5

Plone CMS before 3 places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes...

CVE-2016-71366.1

z3c.form in Plone CMS 5.x through 5.0.6 and 4.x through 4.3.11 allows remote attackers to conduct cross-site scripting (XSS) attac...