Description

The Express web application uses the cookie-session middleware. The middleware uses a secret key to sign cookies for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.

Remediation

Change the value of the secret key to a long random string.

References

cookie-session

Related Vulnerabilities

Yii running in dev mode

Weak WordPress security key

JavaMelody publicly accessible

Apache Tomcat version older than 7.0.21

Spring Boot Misconfiguration: Datasource credentials stored in the properties file

Severity

Medium

Classification

CWE-693 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Weak Credentials Default Credentials