Lzap

**Name of the Vulnerable Software and Affected Versions** Katello versions 1.0 and earlier **Description** The installation script does not properly generate the `Application.config.secret token` value, resulting in each default installation having the same secret token. This allows remote attackers to authenticate to the CloudForms System Engine web interface as an arbitrary user by creating a cookie using the default `secret token`. **Recommendations** For Katello versions 1.0 and earlier, consider regenerating the `Application.config.secret token` value to a unique and secure token to prevent unauthorized access. As a temporary workaround, restrict access to the CloudForms System Engine web interface until a secure `secret token` can be generated.