← Back

CVE-2018-10990

nvd nist
Published: May 14, 2018Modified: Nov 21, 2024

JSON object

Loading...
8.0
Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Exploitability: 1.3 / Impact: 6.0
Source: NVD

Description

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.

Affected (1)

Commscope
1 product
Arris Tg1682g Firmware
Configuration A
1 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Arris Tg1682g Firmware
Version 9.1.103j6
Running on/withPlatform Versions
Commscope
Arris Tg1682g
All versions

Related CWEs

CWE-613
Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References (2)

Source: cve@mitre.org
Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.