Description
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
Remediation
References
Related Vulnerabilities
Joomla Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-2890)
WordPress Plugin Drag and Drop Multiple File Upload-Contact Form 7 Cross-Site Scripting (1.3.6.2)
Oracle Database Server CVE-2019-2940 Vulnerability (CVE-2019-2940)
WordPress Plugin WP GuestMap Multiple Cross-Site Scripting Vulnerabilities (1.8)
Apache Tomcat Improper Access Control Vulnerability (CVE-2016-5388)