CVE-2020-4291

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 do not properly invalidate session identifiers when a user logs out of the Web UI. This insufficient timeout functionality means that a previously valid session token remains usable, potentially disclosing sensitive information to an unauthorized user [1].

Exploitation

An attacker who can obtain a valid session token (e.g., through network sniffing, XSS, or by gaining access to a user's browser cookies) can reuse that token after the legitimate user has logged out. No authentication is required for the replayed session; the attacker simply presents the captured token to the ISIQ Web UI to assume the victim's session [1].

Impact

Successful exploitation allows the attacker to access sensitive information visible to the original user's session, leading to a low confidentiality impact. The CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N) indicates no integrity or availability impact, but the scope is changed because the compromised session may expose data beyond the attacker's authorized access [1].

Mitigation

The vulnerability is fixed in IBM Security Information Queue version 1.0.6, which immediately invalidates the session token upon user logout. No workarounds are available for versions 1.0.0 through 1.0.5; upgrading to 1.0.6 or later is the recommended mitigation [1].