CVE-2019-18894

Name of the Vulnerable Software and Affected Versions Avast Premium Security version 19.8.2393

Description A flaw in Avast Premium Security allows attackers to execute arbitrary OS commands with the privileges of the currently logged in user. This can be achieved by sending a specially crafted request to the local web server on port 27275, which is used to support Bank Mode functionality. For example, attackers who have compromised a browser extension can use this flaw to escape from the browser sandbox.

Recommendations For Avast Premium Security version 19.8.2393, consider restricting access to the local web server on port 27275 until a patch is available. As a temporary workaround, disabling the Bank Mode functionality may help minimize the risk of exploitation.