The server in IBM Tivoli Storage Manager (TSM) 5.1.x, 5.2.x before 5.2.1.2, and 6.x before 6.1 does not require credentials to observe the server console in some circumstances, which allows remote authenticated administrators to monitor server operations by establishing a console mode session, related to "session exposure."
https://exchange.xforce.ibmcloud.com/vulnerabilities/49536
http://www.vupen.com/english/advisories/2009/0881
http://www.securityfocus.com/bid/34285
http://www-1.ibm.com/support/docview.wss?uid=swg1IC37554
http://www-01.ibm.com/support/docview.wss?uid=swg21375360