CVE-2008-1393 | Vulnerability Database | Aqua Security

Plone CMS 3.0.5, and probably other 3.x versions, places a base64 encoded form of the username and password in the __ac cookie for the admin account, which makes it easier for remote attackers to obtain administrative privileges by sniffing the network.

Affected Software

Name	Vendor	Start Version	End Version
Plone_cms	Plone	*	3 (including)
Plone_cms	Plone	*	3.0.5 (including)
Zope-cmfplone	Ubuntu	dapper	*
Zope-cmfplone	Ubuntu	edgy	*
Zope-cmfplone	Ubuntu	feisty	*
Zope-cmfplone	Ubuntu	gutsy	*
Zope-cmfplone	Ubuntu	hardy	*
Zope-cmfplone	Ubuntu	intrepid	*

References

http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords
http://plone.org/products/plone/roadmap/48?
http://securityreason.com/securityalert/3754
http://www.procheckup.com/Hacking_Plone_CMS.pdf
http://www.securityfocus.com/archive/1/489544/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/41427
http://plone.org/documentation/how-to/secure-login-without-plain-text-passwords
http://plone.org/products/plone/roadmap/48?
http://securityreason.com/securityalert/3754
http://www.procheckup.com/Hacking_Plone_CMS.pdf
http://www.securityfocus.com/archive/1/489544/100/0/threaded
https://exchange.xforce.ibmcloud.com/vulnerabilities/41427

NVD	https://nvd.nist.gov/vuln/detail/CVE-2008-1393
CWE	https://cwe.mitre.org/data/definitions/255.html