Description

Each Yii2 web application contains a secret key which used to sign cookies for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of the secret "cookieValidationKey" to a long random string.

References

The Secret Life of Sessions

Related Vulnerabilities

Elmah.axd / Errorlog.axd Detected

Unrestricted access to a monitoring system

Magento Cacheleak

Microsoft Frontpage configuration information

PHP register_globals Is Enabled

Severity

Medium

Classification

CWE-693 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials