GCVE - cpe:2.3:a:plone:plone_cms:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:plone:plone_cms:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Plone (`20065100-5fec-5b5e-bb46-a6d4673848e0`)
Product	Plone Cms (`7f8a9fea-4c0c-5efb-aa28-6788af52a61f`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:github/plone/plone`	purl2cpe	2026-06-01 10:16:04.195580
`pkg:pypi/plone`	purl2cpe	2026-06-01 10:16:04.195582

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2008-1396`	vulnerable	2026-06-03 14:28:40.614055	Details available Plone CMS 3.x uses invariant data (a client username and a server secret) when calculating an HMAC-SHA1 value for an authentication cookie, which makes it easier for remote attackers to gain permanent access to an account by sniffing the network. Published: 2008-03-20T00:00:00.000Z Updated: 2024-08-07T08:17:34.695Z Open on db.gcve.eu Reference links http://securityreason.com/securityalert/3754 https://exchange.xforce.ibmcloud.com/vulnerabilities/41421 http://www.securityfocus.com/archive/1/489544/100/0/threaded http://www.procheckup.com/Hacking_Plone_CMS.pdf	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-1395`	vulnerable	2026-06-03 14:28:40.613747	Details available Plone CMS does not record users' authentication states, and implements the logout feature solely on the client side, which makes it easier for context-dependent attackers to reuse a logged-out session. Published: 2008-03-20T00:00:00.000Z Updated: 2024-08-07T08:17:34.704Z Open on db.gcve.eu Reference links http://securityreason.com/securityalert/3754 http://www.securityfocus.com/archive/1/489544/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/41423 http://www.procheckup.com/Hacking_Plone_CMS.pdf	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-1394`	vulnerable	2026-06-03 14:28:40.609698	Details available Plone CMS before 3 places a base64 encoded form of the username and password in the __ac cookie for all user accounts, which makes it easier for remote attackers to obtain access by sniffing the network. Published: 2008-03-20T00:00:00.000Z Updated: 2024-08-07T08:17:34.858Z Open on db.gcve.eu Reference links http://securityreason.com/securityalert/3754 http://www.securityfocus.com/archive/1/489544/100/0/threaded http://plone.org/about/security/overview/security-overview-of-plone/ http://www.procheckup.com/Hacking_Plone_CMS.pdf https://exchange.xforce.ibmcloud.com/vulnerabilities/41425	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2008-1393`	vulnerable	2026-06-03 14:28:40.609256	Details available Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network. Published: 2008-03-20T00:00:00.000Z Updated: 2024-08-07T08:17:34.698Z Open on db.gcve.eu Reference links http://securityreason.com/securityalert/3754 http://www.securityfocus.com/archive/1/489544/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/41427 http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords http://www.procheckup.com/Hacking_Plone_CMS.pdf	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.