Vulnerability Details CVE-2020-13166
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.774
EPSS Ranking 98.9%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html
- https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
- http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html
- https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
Products affected by CVE-2020-13166
-
cpe:2.3:a:mylittletools:mylittleadmin:3.8