CVE-2020-35710
N/A
N/A
Summary
Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://www.elladodelmal.com/2020/12/blue-team-red-team-como-parallels-ras.html
- https://twitter.com/amadapa/status/1342407005110218753
References
- https://www.elladodelmal.com/2020/12/blue-team-red-team-como-parallels-ras.html
- https://twitter.com/amadapa/status/1342407005110218753
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.