CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7213
https://notcve.org/view.php?id=CVE-2020-7213
Parallels 13 uses cleartext HTTP as part of the update process, allowing man-in-the-middle attacks. Users of out-of-date versions are presented with a pop-up window for a parallels_updates.xml file on the http://update.parallels.com web site. Parallels versión 13 utiliza HTTP en texto sin cifrar como parte del proceso de actualización, permitiendo ataques de tipo man-in-the-middle. A usuarios de versiones desactualizadas se les presenta con una ventana emergente para un archivo parallels_updates.xml en el sitio web http://update.parallels.com. • http://almorabea.net/cves/cve-2020-7213.txt http://almorabea.net/en/2020/01/19/write-up-for-the-parallel-vulnerability-cve-2020-7213 https://parallels.com • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17148 – Parallels Desktop Command Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-17148
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of root. • https://www.zerodayinitiative.com/advisories/ZDI-19-1028 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18793 – Parallels Plesk Panel 9.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-18793
Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter. Parallels Plesk Panel versión 9.5, permite un ataque de tipo XSS en el archivo target/locales/tr-TR/help/index.htm por medio del parámetro "fileName". Parallels Plesk Panel version 9.5 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/155175/Parallels-Plesk-Panel-9.5-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 17%CPEs: 4EXPL: 1CVE-2013-4878 – Plesk < 9.5.4 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-4878
The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. La configuración por defecto de Parallels Plesk Panel v9.0.x y v9.2.x en UNIX, y Small Business Panel v10.x en UNIX, tiene una directiva ScriptAlias incorrecta para phppath, lo que hace más facil para atacantes remotos ejecutar código arbitrario mediante una solicitud especialmente diseñada, una vulnerabilidad diferente a CVE-2012-1823. • https://www.exploit-db.com/exploits/25986 http://kb.parallels.com/116241 http://seclists.org/fulldisclosure/2013/Jun/21 http://www.kb.cert.org/vuls/id/673343 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0133
https://notcve.org/view.php?id=CVE-2013-0133
Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable. Vulnerabilidad de búsqueda no segura en la ruta /usr/local/psa/admin/sbin/wrapper de Parallels Plesk Panel v11.0.9 permite a usuarios locales conseguir privilegios a través de una variable de entorno PATH manipulada. • http://www.kb.cert.org/vuls/id/310500 •