Description
Each Ruby on Rails web application contains a secret token (usually stored in the file secret_token.rb). This token secret_token is used to sign cookies that the application sets. Without this, it's impossible to trust cookies that the browser sends, and hence difficult to rely on session based authentication. It's very important that an attacker doesn't know the value of this secret token. Your application is using a weak/known token and Acunetix managed to guess this token. Knowing the secret token allows an attacker to impersonate any user in the application and even achive Remote Code Execution by deserialization of a crafted Ruby Object.
Remediation
Change the value of the secret_token (from RAILS_ROOT/config/initializers/secret_token.rb) to a random string.
References
How to hack a Rails app using its secret_token
Ruby on Rails Known Secret Session Cookie Remote Code Execution
Related Vulnerabilities
WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.4)
ImageMagick remote code execution
Plone CMS Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2012-5505)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-2243)
AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758)