PT-2021-22577 · Unknown · Mylittlebackup

Omriinbar

Published

2021-09-15

Updated

2021-10-07

CVE-2021-39392

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: MyLittleBackup versions up to and including 1.7

Description: The management tool in MyLittleBackup allows remote attackers to execute arbitrary code because the machineKey is hardcoded in web.config, and can be used to send serialized ASP code. This issue affects all customers' installations due to the use of the same hardcoded machineKey.

Recommendations: For MyLittleBackup versions up to and including 1.7, consider changing the hardcoded machineKey in web.config to a unique value for each installation as a temporary workaround. However, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2021-39392

Affected Products

Mylittlebackup

PT-2021-22577 · Unknown · Mylittlebackup

CVE-2021-39392

Weakness Enumeration

Related Identifiers

Affected Products

References · 5