Description

Each Play framework based web application contains a secret key which used to sign the session cookie for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of the secret key to a long random string.

References

The Application Secret

Sessions

Related Vulnerabilities

Apache Axis2 administration console weak password

SonarQube default credentials

Jira Projects accessible anonymously

Weak password

Ruby framework weak secret key

Severity

Medium

Classification

CWE-693 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Weak Credentials Default Credentials