Description
Each Ruby on Rails web application contains a secret token (usually stored in the file secret_token.rb). This token secret_token is used to sign cookies that the application sets. Without this, it's impossible to trust cookies that the browser sends, and hence difficult to rely on session based authentication. It's very important that an attacker doesn't know the value of this secret token. Your application is using a weak/known token and Acunetix managed to guess this token. Knowing the secret token allows an attacker to impersonate any user in the application and even achive Remote Code Execution by deserialization of a crafted Ruby Object.
Remediation
Change the value of the secret_token (from RAILS_ROOT/config/initializers/secret_token.rb) to a random string.
References
How to hack a Rails app using its secret_token
Ruby on Rails Known Secret Session Cookie Remote Code Execution
Related Vulnerabilities
WebLogic Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-10152)
SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
WordPress 4.5.x Multiple Vulnerabilities (4.5 - 4.5.29)
PHP curl_exec() url is controlled by user
WordPress Plugin Similar Posts-Best Related Posts for WordPress Remote Code Execution (3.1.5)