CVE-2017-9492

Name of the Vulnerable Software and Affected Versions Cisco DPC3939 versions dpc3939-P20-18-v303r20421733-160420a-CMCST through dpc3939-P20-18-v303r20421746-170221a-CMCST Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST Cisco DPC3941T version DPC3941 2.5s3 PROD sey Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey

Description The issue concerns the absence of the HTTPOnly flag in a Set-Cookie header for administration applications. This omission makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.

Recommendations For Cisco DPC3939 versions dpc3939-P20-18-v303r20421733-160420a-CMCST through dpc3939-P20-18-v303r20421746-170221a-CMCST, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header. For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header. For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header. For Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header.