Parallels Remote Application Server Vulnerability - CVE-2020-35710

1 users found this article helpful

Severity

Medium

Description

Parallels Remote Application Server (RAS) 18 allows remote attackers to discover an intranet IP address because submission of the login form (even with blank credentials) provides this address to the attacker's client for use as a "host" value. In other words, after an attacker's web browser sent a request to the login form, it would automatically send a second request to a RASHTML5Gateway/socket.io URI with something like "host":"192.168.###.###" in the POST data.

Reference

CVE-2020-35710 - https://nvd.nist.gov/vuln/detail/CVE-2020-35710

Resolution

The fix is available in RAS v18.0.1.1 (22497)

Was this article helpful?

Tell us how we can improve it.