CVE-2020-13166 – Plesk/myLittleAdmin ViewState .NET Deserialization

https://notcve.org/view.php?id=CVE-2020-13166

The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. La herramienta de administración en MyLittleAdmin versión 3.8, permite a atacantes remotos ejecutar código arbitrario porque machineKey está embebida (lo mismo para todas las instalaciones de los clientes) en web.config, y puede ser usado para enviar código ASP serializado. • https://www.exploit-db.com/exploits/48513 http://packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deserialization.html https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/plesk_mylittleadmin_viewstate.rb • CWE-798: Use of Hard-coded Credentials •