Description

Apache Tapestry uses a special input field "t:formdata" to store data for Form component. The data is a Java serialized object and it's signed for protection against data tampering. It's very important that an attacker doesn't know the value of the secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of the secret "HMAC_PASSPHRASE" to a long random string.

References

Forms and Form Components

Serialized object data stored on the client should be HMAC signed and validated

Related Vulnerabilities

Oracle E-Business Suite Information Disclosure

ASP.NET ValidateRequest Is Globally Disabled

JBoss BSHDeployer MBean

Apache configured to run as proxy

Oracle E-Business Suite iStore open user registration

Severity

High

Classification

CWE-693 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials