Tomcat orderby Cross Site Scripting Exploit

The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
Vulnerabilty ID: 
Product Version: 
Released Date: 
Wednesday, November 16, 2011 - 00:00