Description

BottlePy web application can store a user's data in a cookie. For protection against cookie data tampering, BottlePy signs the cookie value with a secret key. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of secret to a long random string.

References

Signed Cookies

Dangerous Pickles

Related Vulnerabilities

Struts2 Development Mode Enabled

Spring Boot Misconfiguration: MongoDB credentials stored in the properties file

PHP session.use_trans_sid enabled

ASP.NET header checking is disabled in web.config

XML external entity injection

Severity

High

Classification

CWE-693 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials