Multiple vulnerabilities in Parallels Desktop
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-27326 CVE-2023-27327 CVE-2023-27328 |
| CWE-ID | CWE-22 CWE-367 CWE-91 |
| Exploitation vector | Local |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. |
| Vulnerable software |
Parallels Desktop Operating systems & Components / Operating system package or component |
| Vendor | Parallels |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU73226
Risk: Low
CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-27326
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the Toolgate component. A local administrator can send a specially crafted HTTP request and execute arbitrary code with elevated privileges.
MitigationInstall update from vendor's website.
Vulnerable software versionsParallels Desktop: before 18.1.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-23-221/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Time-of-check Time-of-use (TOCTOU) Race Condition
EUVDB-ID: #VU73233
Risk: Low
CVSSv4.0: 6.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-27327
CWE-ID:
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a time-of-check-time-of-use (TOCTOU) race condition within the Toolgate component. A local administrator can gain elevated privileges on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsParallels Desktop: before 18.1.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-23-215/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) XML injection
EUVDB-ID: #VU73228
Risk: Low
CVSSv4.0: 6.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2023-27328
CWE-ID:
CWE-91 - XML Injection
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation when processing XML data within the Toolgate component. A local user can pass specially crafted XML data to the application and gain elevated privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsParallels Desktop: before 18.1.1
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-23-220/
https://kb.parallels.com/125013
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
