CVE-2021-39392

2021-09-1516:16:09

mitre

www.cve.org

cve-2021-39392

remote code execution

machinekey

web.config

asp code

AI Score

Confidence

High

EPSS

0.012

Percentile

85.3%

JSON

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers’ installations) in web.config, and can be used to send serialized ASP code.

References

www.mylittlebackup.com/mlb/zip/mlb_1.7.zip

gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281