GHSA-pvjh-7h8q-q56r, CVE-2010-4312
maven/org.apache.tomcat/tomcat
Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
All versions starting from 6.0.0 before 6.0.35
Upgrade to version 6.0.35 or above.
2024-02-09
source |