Description
In the web interface of Parallels Remote Application Server (RAS) 15.5 Build 16140, a vulnerability exists due to improper validation of the file path when requesting a resource under the "RASHTML5Gateway" directory. A remote, unauthenticated attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences.
References (2)
Core 2
Core References
Broken Link exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/442321/
Exploit, Third Party Advisory x_refsource_misc
https://blog.runesec.com/2018/02/22/parallels-ras-path-traversal/
Scores
CVSS v3
7.5
EPSS
0.0205
EPSS Percentile
78.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
parallels/remote_application_server
15.5
Published
Feb 28, 2018
Tracked Since
Feb 18, 2026