Vulnerability Details CVE-2017-9492
The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST); Cisco DPC3941T (firmware version DPC3941_2.5s3_PROD_sey); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices does not include the HTTPOnly flag in a Set-Cookie header for administration applications, which makes it easier for remote attackers to obtain potentially sensitive information via script access to cookies.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
Products affected by CVE-2017-9492
-
cpe:2.3:h:cisco:dpc3939:-
-
cpe:2.3:h:cisco:dpc3939b:-
-
cpe:2.3:h:cisco:dpc3941t:-
-
cpe:2.3:h:commscope:arris_tg1682g:-
-
cpe:2.3:o:cisco:dpc3939_firmware:dpc3939-p20-18-v303r20421733-160420a-cmcst
-
cpe:2.3:o:cisco:dpc3939_firmware:dpc3939-p20-18-v303r20421746-170221a-cmcst
-
cpe:2.3:o:cisco:dpc3939b_firmware:dpc3939b-v303r204217-150321a-cmcst
-
cpe:2.3:o:cisco:dpc3941t_firmware:dpc3941_2.5s3_prod_sey
-
cpe:2.3:o:commscope:arris_tg1682g_firmware:10.0.132.sip.pc20.ct
-
cpe:2.3:o:commscope:arris_tg1682g_firmware:tg1682_2.2p7s2_prod_sey