Vulnerability Details : CVE-2020-13166
Public exploit exists!
The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Vulnerability category: Execute code
Products affected by CVE-2020-13166
- cpe:2.3:a:mylittletools:mylittleadmin:3.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13166
64.77%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-13166
-
Plesk/myLittleAdmin ViewState .NET Deserialization
Disclosure Date: 2020-05-15First seen: 2020-05-22exploit/windows/http/plesk_mylittleadmin_viewstateThis module exploits a ViewState .NET deserialization vulnerability in web-based MS SQL Server management tool myLittleAdmin, for version 3.8 and likely older versions, due to hardcoded <machineKey> parameters in the web.config file for ASP.NET. Po
CVSS scores for CVE-2020-13166
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-13166
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13166
-
http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html
Plesk / myLittleAdmin ViewState .NET Deserialization ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/
SSD Advisory - MyLittleAdmin PreAuth RCE - SSD Secure DisclosureExploit;Third Party Advisory
Jump to