PT-2017-18962 · Cisco+1 · Cisco Dpc3939B+3
Chris Grayson
+2
·
Published
2017-07-31
·
Updated
2021-09-13
·
CVE-2017-9492
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Cisco DPC3939 versions dpc3939-P20-18-v303r20421733-160420a-CMCST through dpc3939-P20-18-v303r20421746-170221a-CMCST
Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST
Cisco DPC3941T version DPC3941 2.5s3 PROD sey
Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey
Description
The issue concerns the absence of the HTTPOnly flag in a Set-Cookie header for administration applications. This omission makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Recommendations
For Cisco DPC3939 versions dpc3939-P20-18-v303r20421733-160420a-CMCST through dpc3939-P20-18-v303r20421746-170221a-CMCST, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header.
For Cisco DPC3939B version dpc3939b-v303r204217-150321a-CMCST, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header.
For Cisco DPC3941T version DPC3941 2.5s3 PROD sey, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header.
For Arris TG1682G version 10.0.132.SIP.PC20.CT, software version TG1682 2.2p7s2 PROD sey, consider configuring the administration application to include the HTTPOnly flag in the Set-Cookie header.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Arris Tg1682G
Cisco Dpc3939
Cisco Dpc3939B
Cisco Dpc3941T