Apache Tomcat Manager Application: XSS (Cross-Site Scripting) Vulnerability

Users of Apache Tomcat Manager application please be advised of a XSS (cross-site scripting) vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

Apache-SA-11/22/2010: CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.

Read more at http://www.criticalwatch.com