Description

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Remediation

References

CVE-2008-0128

Related Vulnerabilities

Liferay DXP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-40191)

WordPress Plugin Email Subscriber Cross-Site Scripting (1.1)

WordPress Plugin WPQA-Builder forms Addon For WordPress Insecure Direct Object Reference (5.9.2)

phpMyAdmin Resource Management Errors Vulnerability (CVE-2014-9218)

WordPress Plugin Contact Form Manager Multiple Cross-Site Scripting Vulnerabilities (1.4.1)

Severity

Medium

Classification

CVE-2008-0128

Tags

Missing Update Known Vulnerabilities