Local Credential Exposure in Avira Free Antivirus Software
CVE-2020-12680

5.5MEDIUM

Key Information:

Vendor

Avira

Status
Free Antivirus
Vendor
CVE Published:
8 May 2020

What is CVE-2020-12680?

Avira Free Antivirus, specifically versions up to 15.0.2005.1866, presents a vulnerability allowing local users to access sensitive user credentials. The associated executable, Avira.PWM.NativeMessaging.exe, collects credentials stored in web browsers such as Chrome, Firefox, Opera, and Edge without properly verifying the calling program. As a result, requests aimed at fetching Chrome passwords or other stored credentials can be executed, potentially exposing sensitive information to unauthorized local users. Despite some third parties disputing the severity of this issue, it raises significant security concerns for users relying on Avira's antivirus solution.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://twitter.com/taviso/status/1258448515912491026
x_refsource_MISC
https://medium.com/%40knikolenko/avira-free-antivirus-pas...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.