Description
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
Remediation
References
Related Vulnerabilities
Drupal Insufficient Verification of Data Authenticity Vulnerability (CVE-2016-9450)
WordPress Cross-Domain Flash Injection Vulnerability (0.70 - 3.6.1)
Dotclear Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-1584)
Oracle Database Server CVE-2010-2415 Vulnerability (CVE-2010-2415)