CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8871 – Parallels Desktop VGA Out-Of-Bounds Write Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2020-8871
13 Mar 2020 — This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop 15.1.0-47107 . An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the VGA virtual device. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to ... • https://www.zerodayinitiative.com/advisories/ZDI-20-292 • CWE-787: Out-of-bounds Write •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7213
https://notcve.org/view.php?id=CVE-2020-7213
21 Jan 2020 — Parallels 13 uses cleartext HTTP as part of the update process, allowing man-in-the-middle attacks. Users of out-of-date versions are presented with a pop-up window for a parallels_updates.xml file on the http://update.parallels.com web site. Parallels versión 13 utiliza HTTP en texto sin cifrar como parte del proceso de actualización, permitiendo ataques de tipo man-in-the-middle. A usuarios de versiones desactualizadas se les presenta con una ventana emergente para un archivo parallels_updates.xml en el s... • http://almorabea.net/cves/cve-2020-7213.txt • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17148 – Parallels Desktop Command Injection Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2019-17148
20 Dec 2019 — This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop Parallels Desktop version 14.1.3 (45485). An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Parallels Service. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerabilit... • https://www.zerodayinitiative.com/advisories/ZDI-19-1028 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-18793 – Parallels Plesk Panel 9.5 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2019-18793
06 Nov 2019 — Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/index.htm? via the "fileName" parameter. Parallels Plesk Panel versión 9.5, permite un ataque de tipo XSS en el archivo target/locales/tr-TR/help/index.htm por medio del parámetro "fileName". Parallels Plesk Panel version 9.5 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/155175 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2017-9447
https://notcve.org/view.php?id=CVE-2017-9447
28 Feb 2018 — In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140, a vulnerability exists due to improper validation of the file path when requesting a resource under the "RASHTML5Gateway" directory. A remote, unauthenticated attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences. En la interfaz web de Parallels Remote Application Server (RAS) 15.5 Build 16140, existe una vulnerabilidad debido a la validación incorrecta de la r... • https://blog.runesec.com/2018/02/22/parallels-ras-path-traversal • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 36%CPEs: 4EXPL: 1CVE-2013-4878 – Plesk < 9.5.4 - Remote Command Execution
https://notcve.org/view.php?id=CVE-2013-4878
18 Jul 2013 — The default configuration of Parallels Plesk Panel 9.0.x and 9.2.x on UNIX, and Small Business Panel 10.x on UNIX, has an improper ScriptAlias directive for phppath, which makes it easier for remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2012-1823. La configuración por defecto de Parallels Plesk Panel v9.0.x y v9.2.x en UNIX, y Small Business Panel v10.x en UNIX, tiene una directiva ScriptAlias incorrecta para phppath, lo que hace más facil para atacant... • https://www.exploit-db.com/exploits/25986 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0133
https://notcve.org/view.php?id=CVE-2013-0133
18 Apr 2013 — Untrusted search path vulnerability in /usr/local/psa/admin/sbin/wrapper in Parallels Plesk Panel 11.0.9 allows local users to gain privileges via a crafted PATH environment variable. Vulnerabilidad de búsqueda no segura en la ruta /usr/local/psa/admin/sbin/wrapper de Parallels Plesk Panel v11.0.9 permite a usuarios locales conseguir privilegios a través de una variable de entorno PATH manipulada. • http://www.kb.cert.org/vuls/id/310500 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0132
https://notcve.org/view.php?id=CVE-2013-0132
18 Apr 2013 — The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables. La aplicación suexec en Parallels Plesk Panel v11.0.9 contiene una entrada de la lista blanca cgi-wrapper, que permite a atacantes remotos asistidos por el usuario ejecutar código PHP arbitrario a través de una solicitud que contiene variables de entorno manipulada. • http://www.kb.cert.org/vuls/id/310500 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-5004
https://notcve.org/view.php?id=CVE-2012-5004
19 Sep 2012 — Multiple cross-site request forgery (CSRF) vulnerabilities in Parallels H-Sphere 3.3 Patch 1 allow remote attackers to hijack the authentication of admins for requests that (1) add group plans via admin/group_plans.html or (2) add extra packages via admin/extra_packs/create_extra_pack.html. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en Parallels H-Sphere v3.3 Patch 1, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que (1)... • http://osvdb.org/78505 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 43EXPL: 0CVE-2012-1557
https://notcve.org/view.php?id=CVE-2012-1557
12 Mar 2012 — SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. Vulnerabilidad de inyección SQL en admin/plib/api-rpc/Agent.php de Parallels Plesk Panel 7.x y 8.x anteriores a 8.6 MU#2, 9.x anteriores a 9.5 MU#11, 10.0.x anteriores... • http://download1.parallels.com/Plesk/PP10/parallels-plesk-panel-10-linux-updates-release-notes.html#10216 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •