The session list screen (provided by sessionList.jsp) in affected versions uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Users should be aware that Tomcat 6 does not use httpOnly for session cookies by default so this vulnerability could expose session cookies from the manager application to an attacker.
CVE Link
Exploit Type - Old
Exploits/Cross Site Scripting (XSS)/Known Vulnerabilities
Exploit Type
Product Name