Improper Input Validation in Apache Tomcat

The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

Jakarta Apache Tomcat Reveals Physical Paths

Apache Tomcat Vulnerable to Denial of Service (DoS) via Improper Handling of chunk extensions

Jakarta Tomcat Directory Listing vulnerability

Apache Tomcat treats single quotes as delimiters in cookies

Apache Tomcat Denial of Service vulnerability

Authentication Bypass in Apache Tomcat

Apache Tomcat Cross-site scripting (XSS) vulnerability

Improper Locking in Apache Tomcat

Apache Tomcat Open Redirect vulnerability

org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.

Apache Tomcat has cookies without HTTPOnly flag in Set-Cookie header

Missing XML Validation in Apache Tomcat

The Java Server Pages (JSP) engine in Tomcat allows web page owners to cause a denial of service (engine crash) on the web server via a JSP page that calls WPrinterJob().pageSetup(null,null).

Cross-site scripting in Apache Tomcat

Apache Tomcat XSS Vulnerability

Apache Tomcat may be started without proper security settings

Access controll bypass in Apache Tomcat

Unknown vulnerability in Tomcat 3.2.1 running on HP Secure OS for Linux 1.0 allows attackers to access servlet resources. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this issue is already covered by other CVE identifiers.