The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
References
Link | Resource |
---|---|
http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip | Broken Link |
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-09-15T16:16:09
Updated: 2021-09-15T16:16:09
Reserved: 2021-08-23T00:00:00
Link: CVE-2021-39392
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-09-15T17:15:10.410
Modified: 2021-10-07T17:55:32.367
Link: CVE-2021-39392
JSON object: View
Redhat Information
No data.
CWE