Command Injection Vulnerability in Avast Premium Security by Avast
CVE-2019-18894

7.8HIGH

Key Information:

Vendor: Avast
Status: Premium Security
Vendor: CVE Published:; 13 January 2020

What is CVE-2019-18894?

A command injection vulnerability exists in Avast Premium Security 19.8.2393 due to improper handling of requests on the local web server operated by Avast Antivirus. This flaw permits attackers to send specially crafted requests to the Bank Mode functionality on port 27275, potentially enabling execution of arbitrary operating system commands with the privileges of the logged-in user. Such exploitation could lead to unauthorized actions and breaches, particularly if a browser extension has been compromised, allowing attackers to escape the browser's security constraints.

References

https://palant.de/2020/01/13/pwning-avast-secure-browser-...

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 13, 2020
Vulnerability Reserved
Nov 12, 2019