CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10862
https://notcve.org/view.php?id=CVE-2020-10862
01 Apr 2020 — An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to achieve Local Privilege Escalation (LPE) via RPC. Se detectó un problema en Avast Antivirus versiones anteriores a 20. El endpoint de aswTask RPC para la biblioteca TaskEx en el Avast Service (AvastSvc.exe) permite a atacantes lograr una Escalada de Privilegios Local (LPE) por medio de una RPC. • https://forum.avast.com/index.php?topic=232420.0 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10861
https://notcve.org/view.php?id=CVE-2020-10861
01 Apr 2020 — An issue was discovered in Avast Antivirus before 20. The aswTask RPC endpoint for the TaskEx library in the Avast Service (AvastSvc.exe) allows attackers to achieve Arbitrary File Deletion from Avast Program Path via RPC, when Self Defense is Enabled. Se detectó un problema en Avast Antivirus versiones anteriores a 20. El endpoint de aswTask RPC para la biblioteca TaskEx en el Avast Service (AvastSvc.exe) permite a atacantes lograr una Eliminación de Archivos Arbitrarios de Avast Program Path por medio de ... • https://forum.avast.com/index.php?topic=232420.0 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-10860
https://notcve.org/view.php?id=CVE-2020-10860
01 Apr 2020 — An issue was discovered in Avast Antivirus before 20. An Arbitrary Memory Address Overwrite vulnerability in the aswAvLog Log Library results in Denial of Service of the Avast Service (AvastSvc.exe). Se detectó un problema en Avast Antivirus versiones anteriores a 20. Una vulnerabilidad de Sobrescritura de Dirección de Memoria Arbitraria en la aswAvLog Log Library que resulta en una Denegación de Servicio del Avast Service (AvastSvc.exe). • https://forum.avast.com/index.php?topic=232420.0 • CWE-787: Out-of-bounds Write •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8987
https://notcve.org/view.php?id=CVE-2020-8987
09 Mar 2020 — Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.) Avast AntiTrack versiones anteriores a 1.5.1.172 y AVG Antitrack versiones anteriores a 2.0.0.178, envían tráfico hacia... • https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-9399 – AVAST Generic Archive Bypass
https://notcve.org/view.php?id=CVE-2020-9399
26 Feb 2020 — The Avast AV parsing engine allows virus-detection bypass via a crafted ZIP archive. This affects versions before 12 definitions 200114-0 of Antivirus Pro, Antivirus Pro Plus, and Antivirus for Linux. El motor de análisis de Avast AV permite la detección de virus por medio de un archivo ZIP diseñado. Esto afecta a las versiones anteriores a 12 definiciones de 200114-0 de Antivirus Pro, Antivirus Pro Plus y Antivirus para Linux. The AVAST parsing engine supports the ZIP archive format. • https://blog.zoller.lu/p/tzo-23-2020-avast-generic-archive.html • CWE-436: Interpretation Conflict •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-17190 – Avast Secure Browser 76.0.1659.101 Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-17190
27 Jan 2020 — A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%\Avast Software\Browser\Update\ and sets all privileges to group Everyone. Because any low-privileged user can create, delete, or modify the... • http://packetstormsecurity.com/files/156844/Avast-Secure-Browser-76.0.1659.101-Local-Privilege-Escalation.html • CWE-863: Incorrect Authorization •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18894
https://notcve.org/view.php?id=CVE-2019-18894
13 Jan 2020 — In Avast Premium Security 19.8.2393, attackers can send a specially crafted request to the local web server run by Avast Antivirus on port 27275 to support Bank Mode functionality. A flaw in the processing of a command allows execution of arbitrary OS commands with the privileges of the currently logged in user. This allows for example attackers who compromised a browser extension to escape from the browser sandbox. En Avast Premium Security versión 19.8.2393, los atacantes pueden enviar una petición especi... • https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2019-18893
https://notcve.org/view.php?id=CVE-2019-18893
13 Jan 2020 — XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways. Una vulnerabilidad de tipo XSS en el componente V... • https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2019-18653
https://notcve.org/view.php?id=CVE-2019-18653
01 Nov 2019 — A Cross Site Scripting (XSS) issue exists in Avast AntiVirus (Free, Internet Security, and Premiere Edition) 19.3.2369 build 19.3.4241.440 in the Network Notification Popup, allowing an attacker to execute JavaScript code via an SSID Name. Se presenta un problema de tipo Cross Site Scripting (XSS) en Avast AntiVirus (Free, Internet Security y Premiere Edition) versión 19.3.2369 build 19.3.4241.440, en la ventana emergente de notificación de red, permitiendo a un atacante ejecutar código JavaScript por medio... • http://firstsight.me/2019/10/5000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-17093
https://notcve.org/view.php?id=CVE-2019-17093
23 Oct 2019 — An issue was discovered in Avast antivirus before 19.8 and AVG antivirus before 19.8. A DLL Preloading vulnerability allows an attacker to implant %WINDIR%\system32\wbemcomn.dll, which is loaded into a protected-light process (PPL) and might bypass some of the self-defense mechanisms. This affects all components that use WMI, e.g., AVGSvc.exe 19.6.4546.0 and TuneupSmartScan.dll 19.1.884.0. Se detectó un problema en Avast antivirus versiones anteriores a 19.8 y AVG antivirus versiones anteriores a 19.8. Una ... • https://safebreach.com/Post/Avast-Antivirus-AVG-Antivirus-DLL-Preloading-into-PPL-and-Potential-Abuses • CWE-427: Uncontrolled Search Path Element •