CVE-2022-34891 – Parallels Desktop Updater Incorrect Permission Assignment Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-34891
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the update machanism. The product sets incorrect permissions on sensitive files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • https://kb.parallels.com/125013 https://www.zerodayinitiative.com/advisories/ZDI-22-942 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-34890 – Parallels Desktop Tools Untrusted Pointer Dereference Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-34890
This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 17.1.1 (51537). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Tools component. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the kernel. • https://kb.parallels.com/125013 https://www.zerodayinitiative.com/advisories/ZDI-22-941 • CWE-822: Untrusted Pointer Dereference •
CVE-2022-34892 – Parallels Desktop Updater Race Condition Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2022-34892
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop 17.1.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the update machanism. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • https://kb.parallels.com/125013 https://www.zerodayinitiative.com/advisories/ZDI-22-943 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2022-30777
https://notcve.org/view.php?id=CVE-2022-30777
Parallels H-Sphere 3.6.1713 allows XSS via the index_en.php from parameter. Parallels H-Sphere versión 3.6.1713 permite un ataque de tipo XSS por medio del parámetro index_en.php from • https://en.wikipedia.org/wiki/H-Sphere https://medium.com/%40bhattronit96/cve-2022-30777-45725763ab59 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-34986 – Parallels Desktop Service Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-34986
This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 16.5.0 (49183). An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. By creating a symbolic link, an attacker can abuse the service to execute a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • https://kb.parallels.com/en/125013 https://www.zerodayinitiative.com/advisories/ZDI-22-385 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •