Description
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
Remediation
References
Related Vulnerabilities
SharePoint CVE-2021-31948 Vulnerability (CVE-2021-31948)
WordPress Plugin Secure HTML5 Video Player Cross-Site Scripting (3.3)
Apache HTTP Server Use of Uninitialized Resource Vulnerability (CVE-2020-1934)
PostgreSQL CVE-2017-7547 Vulnerability (CVE-2017-7547)
Oracle HTTP Server Out-of-bounds Read Vulnerability (CVE-2021-35940)