The Connection Manager in IBM Lotus Mobile Connect (LMC) before 6.1.4, when HTTP Access Services (HTTP-AS) is enabled, does not delete LTPA tokens in response to use of the iNotes Logoff button, which might allow physically proximate attackers to obtain access via an unattended client, related to a cookie domain mismatch.
CPE | Name | Operator | Version |
---|---|---|---|
lotus_mobile_connect | eq | 6.1.1.1 | |
lotus_mobile_connect | eq | 6.1.1 | |
lotus_mobile_connect | le | 6.1.3 | |
lotus_mobile_connect | eq | 6.1.2 |