Token Management Flaw in IBM Lotus Mobile Connect
CVE-2010-4591

Currently unrated

Key Information:

Vendor: IBM
Status: Lotus Mobile Connect
Vendor: CVE Published:; 22 December 2010

Summary

The Connection Manager in IBM Lotus Mobile Connect prior to version 6.1.4 contains a significant security flaw where LTPA tokens are not adequately deleted after the use of the iNotes Logoff button. This oversight can leave users vulnerable, allowing nearby attackers to potentially access sensitive information via an unattended client due to a mismatch in cookie domains.

References

http://secunia.com/advisories/42703

third-party-advisoryx_refsource_SECUNIA

http://www-01.ibm.com/support/docview.wss?uid=swg27020327

x_refsource_CONFIRM

http://www-01.ibm.com/support/docview.wss?uid=swg1IZ74393

vendor-advisoryx_refsource_AIXAPAR

Timeline

Vulnerability published
Dec 22, 2010
Vulnerability Reserved
Dec 22, 2010