CVE-2006-4763

Severity

75%

Complexity

99%

Confidentiality

106%

IBM Lotus Domino Web Access (DWA) 7.0.1 does not expire a client's Lightweight Third-Party Authentication token (LtpaToken) upon logout, which allows remote attackers to obtain a user's privileges by intercepting the LtpaToken cookie.

IBM Lotus Domino Web Access (DWA) 7.0.1 does not expire a client's Lightweight Third-Party Authentication token (LtpaToken) upon logout, which allows remote attackers to obtain a user's privileges by intercepting the LtpaToken cookie.

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

First reported 18 years ago

2006-09-13 23:07:00

Last updated 6 years ago

2018-10-17 21:39:00

Affected Software

IBM Lotus Domino Web Access 7.0.1

7.0.1

References

20060912 Session Token Remains Valid After Logout in IBM Lotus Domino Web Access

1571

http://www.fishnetsecurity.com/csirt/disclosure/ibm

20060912 Session Token Remains Valid After Logout in IBM Lotus Domino Web Access

19966

http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21245589

domino-token-session-hijack(28881)

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.