CVE-2016-6344 (jboss_bpm_suite)
Red Hat JBoss BPM Suite 6.3.x does not include the HTTPOnly flag in a Set-Cookie header for session cookies, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
Source: CVE-2016-6344 (jboss_bpm_suite)