CVE-2018-10990

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:commscope:arris_tg1682g_firmware:9.1.103j6:*:*:*:*:*:*:*
cpe:2.3:h:commscope:arris_tg1682g:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:42

Type Values Removed Values Added
References () https://medium.com/%40AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c - () https://medium.com/%40AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c -

13 Sep 2021, 11:32

Type Values Removed Values Added
CPE cpe:2.3:o:arris:tg1682g_firmware:9.1.103j6:*:*:*:*:*:*:*
cpe:2.3:h:arris:tg1682g:-:*:*:*:*:*:*:*
cpe:2.3:h:commscope:arris_tg1682g:-:*:*:*:*:*:*:*
cpe:2.3:o:commscope:arris_tg1682g_firmware:9.1.103j6:*:*:*:*:*:*:*

Information

Published : 2018-05-14 14:29

Updated : 2024-11-21 03:42


NVD link : CVE-2018-10990

Mitre link : CVE-2018-10990

CVE.ORG link : CVE-2018-10990


JSON object : View

Products Affected

commscope

  • arris_tg1682g_firmware
  • arris_tg1682g
CWE
CWE-613

Insufficient Session Expiration