CVE-2019-18894 — HIGH (7.8)

Vulnerability Description

In Avast Premium Security 19.8.2393, attackers can send a specially crafted request to the local web server run by Avast Antivirus on port 27275 to support Bank Mode functionality. A flaw in the processing of a command allows execution of arbitrary OS commands with the privileges of the currently logged in user. This allows for example attackers who compromised a browser extension to escape from the browser sandbox.

CVSS Score

7.8

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Avast	Premium Security	19.8.2393

Related Weaknesses (CWE)

CWE-78

References

https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/ExploitThird Party Advisory
https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/ExploitThird Party Advisory

FAQ

What is CVE-2019-18894?

CVE-2019-18894 is a vulnerability with a CVSS score of 7.8 (HIGH). In Avast Premium Security 19.8.2393, attackers can send a specially crafted request to the local web server run by Avast Antivirus on port 27275 to support Bank Mode functionality. A flaw in the proce...

How severe is CVE-2019-18894?

CVE-2019-18894 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18894?

Check the references section above for vendor advisories and patch information. Affected products include: Avast Premium Security.