6.4
CVSSv2

CVE-2010-4312

Published: 26/11/2010 Updated: 21/11/2024

Vulnerability Summary

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote malicious users to hijack a session via script access to a cookie.

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 6.0

apache tomcat 6.0.0

apache tomcat 6.0.1

apache tomcat 6.0.2

apache tomcat 6.0.3

apache tomcat 6.0.4

apache tomcat 6.0.5

apache tomcat 6.0.6

apache tomcat 6.0.7

apache tomcat 6.0.8

apache tomcat 6.0.9

apache tomcat 6.0.10

apache tomcat 6.0.11

apache tomcat 6.0.12

apache tomcat 6.0.13

apache tomcat 6.0.14

apache tomcat 6.0.15

apache tomcat 6.0.16

apache tomcat 6.0.17

apache tomcat 6.0.18

apache tomcat 6.0.19

apache tomcat 6.0.20

apache tomcat 6.0.24

apache tomcat 6.0.26

apache tomcat 6.0.27

apache tomcat 6.0.28

apache tomcat 6.0.29

Vendor Advisories

Debian Bug report logs - #608286 CVE-2010-4312: does not use HTTPOnly for session cookies by default Package: tomcat6; Maintainer for tomcat6 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Giuseppe Iuculano <iuculano@debianorg> Date: Wed, 29 Dec 2010 17:33:02 UTC Severity: mi ...