CVE-2017-9491

MEDIUM

Cisco DPC3939-0 - Info Disclosure

Title source: llm

Description

The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST); Cisco DPC3939 (firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST); Cisco DPC3939B (firmware version dpc3939b-v303r204217-150321a-CMCST); Cisco DPC3941T (firmware version DPC3941_2.5s3_PROD_sey); and Arris TG1682G (eMTA&DOCSIS version 10.0.132.SIP.PC20.CT, software version TG1682_2.2p7s2_PROD_sey) devices does not set the secure flag for cookies in an https session to an administration application, which makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session.

References (1)

[Mitigation, Third Party Advisory] https://github.com/BastilleResearch/CableTap/blob/master/doc/advisories/bastille-35.improper-cookie-flags.txt

View Writeup ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0026

EPSS Percentile 49.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (7)

cisco/dpc3939_firmware

cisco/dpc3939b_firmware

cisco/dpc3941t_firmware

commscope/arris_tg1682g_firmware

n/a/n/a

Published Jul 31, 2017

Tracked Since Feb 18, 2026