The session list screen (provided by sessionList.jsp) in affected versions of Apache Tomcat Manager uses the orderBy and sort request parameters without applying filtering and therefore is vulnerable to a cross-site scripting attack. Versions 7.0.0 through 7.0.4 and 6.0.12 through 6.0.29 are affected.
486777c2531b3377eea0df5a8570190ea9f8e536d75e7989f9c974dc66148c85