CVE-2020-15860

Severity Score

9.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Parallels Remote Application Server (RAS) 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it was discovered that it is possible to access any host in the internal domain, even if it has no published applications or the mentioned host is no longer associated with that server farm.

Parallels Remote Application Server (RAS) versión 17.1.1, presenta un Error de Lógica de Negocios que causa una ejecución de código remota. Permite a un usuario autenticado ejecutar cualquier aplicación en el sistema operativo backend por medio de la aplicación web, a pesar de que la aplicación afectada no ha sido publicada. Además, se detectó que es posible acceder a cualquier host en el dominio interno, inclusive si no tiene aplicaciones publicadas o si el host mencionado ya no está asociado con esa granja de servidores

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-07-20 CVE Reserved
2020-07-24 CVE Published
2023-12-12 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (3)

URL	Tag	Source
https://www.parallels.com/products/ras/remote-application-server	Product

URL	Date	SRC
https://www.coresecurity.com/core-labs/advisories/parallels-ras-os-command-execution	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://kb.parallels.com/en/125112	2023-01-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parallels Search vendor "Parallels"		Remote Application Server Search vendor "Parallels" for product "Remote Application Server"				17.1.1 Search vendor "Parallels" for product "Remote Application Server" and version "17.1.1"		-		Affected