7 matches found
CVE-2025-0413
Parallels Desktop is affected by CVE-2025-0413 in the Technical Data Reporter component. The flaw lets a local attacker with low privileges abuse symbolic links to change file permissions, enabling privilege escalation to root and potentially arbitrary code execution. Exploitation requires local ...
CVE-2020-35710
Parallels Remote Application Server (RAS) 18 is affected. The issue allows remote attackers to discover an intranet IP address because, after submitting the login form (even with blank credentials), the attacker's client receives the host IP via a second request to RASHTML5Gateway/socket.io conta...
CVE-2022-40870
CVE-2022-40870 affects the Web Client of Parallels Remote Application Server v18.0. The issue is a Host Header Injection that allows an attacker to execute arbitrary commands via a crafted payload in the Host header. CVSSv3.1 base score 8.1 (High) with network access, high complexity, no privileg...
CVE-2017-9447
Parallels Remote Application Server (RAS) 15.5 Build 16140 web interface is vulnerable to a path traversal issue due to improper validation of file paths when requesting resources under the RASHTML5Gateway directory. A remote, unauthenticated attacker could exploit this to read arbitrary files on...
CVE-2020-8968
CVE-2020-8968 affects Parallels Remote Application Server (RAS). A local attacker can retrieve certain profile passwords in clear text by uploading a previously stored cyphered file, compromising confidentiality (and potentially integrity/availability of user data). Exploitation is local and requ...
CVE-2020-15860
Parallels RAS 17.1.1 is affected by a Business Logic Error (CVE-2020-15860) that allows an authenticated user to execute any backend operating-system application via the web application and to access hosts in the internal domain without having published apps. Core Security’s advisory (CORE-2020-0...
CVE-2023-45894
CVE-2023-45894 affects the Parallels Remote Application Server (RAS). The vulnerability stems from the RAS not segmenting virtualized applications from the server, enabling a remote attacker to achieve remote code execution via kiosk-breakout techniques on versions prior to 19.2.23975. Reported s...