IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Description

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Basic Information

ID CVE-2026-4820

Source ibm

Published Apr 1, 2026 at 20:54

Modified Apr 2, 2026 at 15:51

Affected Product

Vendor IBM

Product Maximo Application Suite

Version 9.1.0

Affected Versions IBM Maximo Application Suite 9.1.0
IBM Maximo Application Suite 9.0
IBM Maximo Application Suite 8.11.0
IBM Maximo Application Suite 8.10

CWE Classification

CWE-614

References

www.ibm.com /support/pages/node/7268028

{
    "lastseen": "",
    "description": "IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.",
    "published": "2026-04-01T20:54:09.417Z",
    "modified": "2026-04-02T15:51:44.073Z",
    "type": "cve",
    "title": "IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag",
    "source": "ibm",
    "references": "https://www.ibm.com/support/pages/node/7268028",
    "id": "CVE-2026-4820",
    "bulletinFamily": "",
    "cwe": [
        "CWE-614"
    ],
    "cvelist": null,
    "sourceData": "IBM Maximo Application Suite 9.1.0\nIBM Maximo Application Suite 9.0\nIBM Maximo Application Suite 8.11.0\nIBM Maximo Application Suite 8.10",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Maximo Application Suite",
    "version": "9.1.0",
    "vendor": "IBM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_ was not set with secure flag_CVE-2026-4820