Calvin Fong

Name of the Vulnerable Software and Affected Versions: Parallels Desktop version 16.1.3 Description: This issue allows local attackers to escalate privileges on affected installations. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in an uncontrolled memory allocation. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of the hypervisor. Recommendations: For Parallels Desktop version 16.1.3, consider disabling the Toolgate component until a patch is available. Restrict access to the Toolgate component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions prior to 6.1.20 **Description** The issue is related to a buffer read operation that can lead to unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. It affects the Core component of Oracle VM VirtualBox and can be exploited by a high-privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes. Successful attacks may significantly impact additional products. **Recommendations** For versions prior to 6.1.20, update to version 6.1.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the Core component of Oracle VM VirtualBox to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions prior to 5.2.40 Oracle VM VirtualBox versions prior to 6.0.20 Oracle VM VirtualBox versions prior to 6.1.6 **Description** The issue is related to the Oracle VM VirtualBox product, specifically the Core component. It allows a high-privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox, potentially resulting in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. The vulnerability may significantly impact additional products. The `vmsvgaR3FifoUpdateCursor` function of the virtual machine is associated with a lack of protection of service data, which can be exploited to gain unauthorized access to protected information. **Recommendations** For versions prior to 5.2.40, update to version 5.2.40 or later. For versions prior to 6.0.20, update to version 6.0.20 or later. For versions prior to 6.1.6, update to version 6.1.6 or later. As a temporary workaround, consider restricting access to the `vmsvgaR3FifoUpdateCursor` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle VM VirtualBox versions prior to 5.2.40 Oracle VM VirtualBox versions prior to 6.0.20 Oracle VM VirtualBox versions prior to 6.1.6 **Description** The issue is related to insufficient input validation in the graphical controller component of Oracle VM VirtualBox, specifically the VBoxVGA component. This allows a high-privileged attacker with logon access to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks can result in the takeover of Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. **Recommendations** For versions prior to 5.2.40, update to version 5.2.40 or later. For versions prior to 6.0.20, update to version 6.0.20 or later. For versions prior to 6.1.6, update to version 6.1.6 or later.