Vulnerabilities > CVE-2018-10990 - Insufficient Session Expiration vulnerability in Commscope Arris Tg1682G Firmware 9.1.103J6

CVSS 8.0 - HIGH

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

high complexity

commscope

CWE-613

NVD

Published: 2018-05-14

Updated: 2023-11-07

Summary

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.

Vulnerable Configurations

Part	Description	Count
OS	Commscope Commscope Arris Tg1682G Firmware 9.1.103J6	1
Hardware	Commscope Commscope Arris Tg1682G -	1

Common Weakness Enumeration (CWE)

CWE-613 - Insufficient Session Expiration

References

https://medium.com/%40AkshaySharmaUS/comcast-arris-touchstone-gateway-devices-are-vulnerable-heres-the-disclosure-7d603aa9342c