CVE-2010-4591

IBM Lotus Mobile Connect < 6.1.3 - Authentication Bypass

Title source: rule

Description

The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.

References (3)

[Various Sources] http://www-01.ibm.com/support/docview.wss?uid=swg1IZ74393

[Various Sources] http://www-01.ibm.com/support/docview.wss?uid=swg27020327

[Third Party Advisory] http://secunia.com/advisories/42703

Scores

EPSS 0.0005

EPSS Percentile 16.4%

Classification

CWE

CWE-287

Status draft

Affected Products (4)

ibm/lotus_mobile_connect < 6.1.3

ibm/lotus_mobile_connect

Timeline

Published Dec 22, 2010

Tracked Since Feb 18, 2026