CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-45894
https://notcve.org/view.php?id=CVE-2023-45894
14 Dec 2023 — The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques. El servidor de aplicaciones remotas en Parallels RAS anterior a 19.2.23975 no segmenta las aplicaciones virtualizadas del servidor, lo que permite a un atacante remoto lograr la ejecución remota de código mediante técnicas de ruptura de quiosco estándar. • https://github.com/Oracle-Security/CVEs/blob/main/Parallels%20Remote%20Server/readme.md •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-40870
https://notcve.org/view.php?id=CVE-2022-40870
22 Nov 2022 — The Web Client of Parallels Remote Application Server v18.0 is vulnerable to Host Header Injection attacks. This vulnerability allows attackers to execute arbitrary commands via a crafted payload injected into the Host header. El cliente web de Parallels Remote Application Server v18.0 es vulnerable a ataques de inyección de encabezado de host. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios a través de un payload manipulado inyectado en el encabezado del Host. • https://github.com/IthacaLabs/Parallels/blob/main/ParallelsRemoteApplicationServer/HHI_CVE-2022-40870.txt • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-35710
https://notcve.org/view.php?id=CVE-2020-35710
25 Dec 2020 — Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data. Parallels Remote Application Server (RAS) ... • https://twitter.com/amadapa/status/1342407005110218753 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •