Description

Each Laravel framework based web application contains a secret key which used to sign and encrypt the session cookie for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of the secret key (APP_KEY) to a long random string.

References

APP_KEY And You

Laravel APP_KEY rotation policy for app security

Related Vulnerabilities

Oracle Business Intelligence default administrative credentials

SonarQube default credentials

Web2py weak secret key

Apache Shiro Deserialization RCE

Ruby on Rails weak/known secret token

Severity

Medium

Classification

CWE-693 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Default Credentials Weak Credentials