CVE Vulnerabilities

CVE-2010-4591

Improper Authentication

Published: Dec 22, 2010 | Modified: Jan 11, 2011
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.4 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Lotus_mobile_connect Ibm 6.1.1.1 6.1.1.1
Lotus_mobile_connect Ibm 6.1.1 6.1.1
Lotus_mobile_connect Ibm * 6.1.3
Lotus_mobile_connect Ibm 6.1.2 6.1.2

Potential Mitigations

References