CVE-2018-10990Insufficient Session Expiration in Arris Tg1682g Firmware

CWE-613Insufficient Session Expiration3 documents3 sources
Severity
8.0HIGHNVD
EPSS
0.3%
top 44.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Commscope Arris Tg1682g Firmware
Timeline
PublishedMay 14
Latest updateMay 13

Description

On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often n

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 1.3 | Impact: 6.0

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-j8qv-c9rp-9gqj: On Arris Touchstone Telephony Gateway TG1682G 92022-05-13
CVEList
CVE-2018-10990: On Arris Touchstone Telephony Gateway TG1682G 92018-05-14
CVE-2018-10990 — Insufficient Session Expiration | cvebase