CVE-2010-4591

IBM Lotus Mobile Connect < 6.1.4 - Improper Authentication via LTPA Token Persistence

Title source: llm
STIX 2.1

Description

The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.

References (3)

Core 3
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42703
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27020327
Various Sources vendor-advisory x_refsource_aixapar
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ74393

Scores

EPSS 0.0028
EPSS Percentile 19.7%

Details

CWE
CWE-287
Status published
Products (4)
ibm/lotus_mobile_connect 6.1.1
ibm/lotus_mobile_connect 6.1.1.1
ibm/lotus_mobile_connect 6.1.2
ibm/lotus_mobile_connect < 6.1.3
Published Dec 22, 2010
Tracked Since Feb 18, 2026