Lack of LTPA Token Deletion in IBM Lotus Mobile Connect Allows Unauthorized Access

Lack of LTPA Token Deletion in IBM Lotus Mobile Connect Allows Unauthorized Access

CVE-2010-4591 · MEDIUM Severity

AV:L/AC:M/AU:N/C:P/I:P/A:P

The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.

Learn more about our Cis Benchmark Audit For Ibm I.