CVE-2010-4312

MEDIUM

Description

The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.

References

http://www.securityfocus.com/archive/1/514866/100/0/threaded

Details

Source: MITRE

Published: 2010-11-26

Updated: 2018-10-10

Type: CWE-16

Risk Information

CVSS v2.0

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM