Business Logic Error in Parallels Remote Application Server Affects Remote Execution Capabilities
CVE-2020-15860

9.9CRITICAL

Key Information:

Vendor

Parallels

Status
Remote Application Server
Vendor
CVE Published:
24 July 2020

What is CVE-2020-15860?

Parallels Remote Application Server version 17.1.1 is affected by a business logic error that enables authenticated users to execute arbitrary applications on the backend operating system via the web interface, even if those applications are not published. Additionally, this vulnerability allows access to any host within the internal domain, regardless of whether it has published applications or if it is still linked to the server farm. This raises significant security concerns regarding unauthorized access and potential exploitation of internal systems.

References

https://www.parallels.com/products/ras/remote-application...
x_refsource_MISC
https://www.coresecurity.com/core-labs/advisories/paralle...
x_refsource_MISC
https://kb.parallels.com/en/125112
x_refsource_CONFIRM

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.