What is CVE-2020-13166?

CVE-2020-13166 is a vulnerability in N/a. Published 2020-05-19.

Is CVE-2020-13166 known to be exploited?

3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in N/a

CVE-2020-13166

The management tool in MyLittleAdmin 3.8 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.

EPSS: 0.774 (99.0th percentile) — read the EPSS interpretation.

Affected products

N/a — versions n/a

Public proof-of-concept exploits

rapid7/metasploit-framework
ARPSyndicate/cvemon
zhanpengliu-tencent/medium-cve

References

ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/ (x_refsource_MISC)
packetstormsecurity.com/files/157808/Plesk-myLittleAdmin-ViewState-.NET-Deseria… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-13166?: CVE-2020-13166 is a vulnerability in N/a. Published 2020-05-19.
Is CVE-2020-13166 known to be exploited?: 3 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.