CVE-2023-27326

Name of the Vulnerable Software and Affected Versions Parallels Desktop versions prior to 18.1.1

Description This issue allows local attackers to escalate privileges on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this issue. The specific flaw exists within the Toolgate component, resulting from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this issue to escalate privileges and execute arbitrary code in the context of the current user on the host system. The issue stems from a directory traversal and an incorrect use of Qt's strings, resulting in unexpected behavior.

Recommendations For Parallels Desktop versions prior to 18.1.1, update to version 18.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Toolgate component until a patch is available. Avoid using the vulnerable component in the affected Parallels Desktop versions until the issue is resolved.