CVE-2010-4591 Information

Description

The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4 when HTTP Access Services (HTTP-AS) is enabled does not delete LTPA tokens in response to use of the iNotes Logoff button which might allow physically proximate attackers to obtain access via an unattended client related to a cookie domain mismatch.

Reference

http://secunia.com/advisories/42703 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ74393 http://www-01.ibm.com/support/docview.wss?uid=swg27020327