A lack of code signature verification in Parallels Desktop for Mac v19.3.0 and below allows attackers to escalate privileges via a crafted macOS installer, because Parallels Service is setuid root.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.