CVE-2017-9447 Information

Description

In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140 a vulnerability exists due to improper validation of the file path when requesting a resource under the \RASHTML5Gateway\ directory. A remote unauthenticated attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://blog.runesec.com/2018/02/22/parallels-ras-path-traversal/ https://www.exploit-db.com/exploits/442321/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5