CVE-2019-18893

Published: Jan 13, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

XSS in the Video Downloader component before 1.5 of Avast Secure Browser 77.1.1831.91 and AVG Secure Browser 77.0.1790.77 allows websites to execute their code in the context of this component. While Video Downloader is technically a browser extension, it is granted a very wide set of privileges and can for example access cookies and browsing history, spy on the user while they are surfing the web, and alter their surfing experience in almost arbitrary ways.

Affected (3)

Products: Avast: Secure Browser · Avg: Secure Browser · Video Downloader Project: Video Downloader

1 product

1 product

Video Downloader Project

1 product

Video Downloader

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Avast Secure Browser	Version 77.1.1831.91
Avg Secure Browser	Version 77.0.1790.77
Video Downloader Project Video Downloader	Before 1.5

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/

Source: cve@mitre.org

ExploitThird Party Advisory

https://palant.de/2020/01/13/pwning-avast-secure-browser-for-fun-and-profit/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.