Vulnerabilities > CVE-2021-39392 - Deserialization of Untrusted Data vulnerability in Mylittletools Mylittlebackup 1.7

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

mylittletools

CWE-502

critical

NVD

Published: 2021-09-15

Updated: 2024-11-21

Summary

The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

Vulnerable Configurations

Part	Description	Count
Application	Mylittletools Mylittletools Mylittlebackup - Mylittletools Mylittlebackup 1.7	2

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281