Description

This alert was generated using only banner information. It may be a false positive.

Fixed in Apache Tomcat 6.0.9:
  • moderate: Session hi-jacking CVE-2008-0128
    When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute, resulting in it being transmitted to any content that is - by purpose or error - requested via http from the same server.

Affected Apache Tomcat version (6.0.0 - 6.0.8).

Remediation

Upgrade Apache Tomcat to the latest version.

References

Apache Tomcat 6.x vulnerabilities

Related Vulnerabilities

WordPress Plugin Constant Contact for WordPress Unspecified Vulnerability (3.1.6)

Apache Traffic Server Improper Input Validation Vulnerability (CVE-2021-37149)

TCExam Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2020-5743)

WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Scripting (2.6.2)

WordPress Plugin Adminimize 'page' Parameter Cross-Site Scripting (1.7.21)

Severity

Medium

Classification

CVE-2008-0128 CWE-614 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update