CVE-2018-10990

Summary

CVE	CVE-2018-10990
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-05-14 14:29:00 UTC
Updated	2023-11-07 02:51:00 UTC
Description	On Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices, a logout action does not immediately destroy all state on the device related to the validity of the "credential" cookie, which might make it easier for attackers to obtain access at a later time (e.g., "at least for a few minutes"). NOTE: there is no documentation stating that the web UI's logout feature was supposed to do anything beyond removing the cookie from one instance of a web browser; a client-side logout action is often not intended to address cases where a person has made a copy of a cookie outside of a browser.

Risk And Classification

Problem Types: CWE-613

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Hardware	Arris	Tg1682g	-	All	All	All
Hardware	Arris	Tg1682g	-	All	All	All
Operating System	Arris	Tg1682g Firmware	9.1.103j6	All	All	All
Operating System	Arris	Tg1682g Firmware	9.1.103j6	All	All	All
Hardware	Commscope	Arris Tg1682g	-	All	All	All
Operating System	Commscope	Arris Tg1682g Firmware	9.1.103j6	All	All	All

References

Reference	Source	Link	Tags
Comcast Arris Touchstone Gateway Devices are vulnerable! Here’s the disclosure. \| by Ax Sharma \| AxDB \| Medium	MISC	medium.com	Exploit, Third Party Advisory
Comcast Arris Touchstone Gateway Devices are vulnerable! Here’s the disclosure. \| by Ax Sharma \| AxDB \| Medium		medium.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.