CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27328 – Parallels Desktop Toolgate XML Injection Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27328
07 Mar 2023 — Parallels Desktop Toolgate XML Injection Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied string before using it to construct an XML docum... • https://kb.parallels.com/125013 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27323 – Parallels Desktop Updater Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27323
07 Mar 2023 — Parallels Desktop Updater Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. By creating a symbolic link, an attacker can abuse the service to execute a file. • https://kb.parallels.com/125013 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27322 – Parallels Desktop Service Improper Initialization Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27322
07 Mar 2023 — Parallels Desktop Service Improper Initialization Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper initialization of environment variables. • https://kb.parallels.com/125013 • CWE-665: Improper Initialization •
CVSS: 8.2EPSS: 1%CPEs: 1EXPL: 2CVE-2023-27326 – Parallels Desktop Toolgate Directory Traversal Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27326
07 Mar 2023 — Parallels Desktop Toolgate Directory Traversal Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations... • https://github.com/Malwareman007/CVE-2023-27326 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27325 – Parallels Desktop Updater Improper Initialization Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27325
07 Mar 2023 — Parallels Desktop Updater Improper Initialization Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. The issue results from the lack of proper initialization of environment variables. • https://kb.parallels.com/125013 • CWE-665: Improper Initialization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27327 – Parallels Desktop Toolgate Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27327
07 Mar 2023 — Parallels Desktop Toolgate Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper locking when performing operations on an object. • https://github.com/kn32/parallels-plist-escape • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27324 – Parallels Desktop Updater Improper Initialization Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-27324
07 Mar 2023 — Parallels Desktop Updater Improper Initialization Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. The issue results from the lack of proper initialization of environment variables. • https://kb.parallels.com/125013 • CWE-665: Improper Initialization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-40870
https://notcve.org/view.php?id=CVE-2022-40870
22 Nov 2022 — The Web Client of Parallels Remote Application Server v18.0 is vulnerable to Host Header Injection attacks. This vulnerability allows attackers to execute arbitrary commands via a crafted payload injected into the Host header. El cliente web de Parallels Remote Application Server v18.0 es vulnerable a ataques de inyección de encabezado de host. Esta vulnerabilidad permite a los atacantes ejecutar comandos arbitrarios a través de un payload manipulado inyectado en el encabezado del Host. • https://github.com/IthacaLabs/Parallels/blob/main/ParallelsRemoteApplicationServer/HHI_CVE-2022-40870.txt • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34899 – Parallels Access Agent Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-34899
01 Jul 2022 — This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the con... • https://kb.parallels.com/en/129010 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34901 – Parallels Access Agent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-34901
01 Jul 2022 — This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Access 6.5.4 (39316) Agent. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The service executes files from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • https://kb.parallels.com/en/129010 • CWE-427: Uncontrolled Search Path Element •