CVE-2019-18893

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways.

Una vulnerabilidad de tipo XSS en el componente Video Downloader versiones anteriores a la versión 1.5 del Avast Secure Browser versión 77.1.1831.91 y AVG Secure Browser versión 77.0.1790.77, permite a los sitios web ejecutar su código en el contexto de este componente. Aunque Video Downloader es técnicamente una extensión del navegador, se le otorga un rango muy amplio de privilegios y puede, por ejemplo, acceder a cookies y al historial de navegación, espiar al usuario mientras navega en la web y alterar su experiencia de navegación en modos casi arbitrarios.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-11-12 CVE Reserved
2020-01-13 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
2024-08-05 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit	2024-08-05

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Avast Search vendor "Avast"		Secure Browser Search vendor "Avast" for product "Secure Browser"				77.1.1831.91 Search vendor "Avast" for product "Secure Browser" and version "77.1.1831.91"		-		Affected
Avg Search vendor "Avg"		Secure Browser Search vendor "Avg" for product "Secure Browser"				77.0.1790.77 Search vendor "Avg" for product "Secure Browser" and version "77.0.1790.77"		-		Affected
Video Downloader Project Search vendor "Video Downloader Project"		Video Downloader Search vendor "Video Downloader Project" for product "Video Downloader"				< 1.5 Search vendor "Video Downloader Project" for product "Video Downloader" and version " < 1.5"		-		Affected