XSS Vulnerability in AVAST Antivirus

[German]An XSS vulnerability has been found in the desktop version of AVAST Antivirus for Windows. An attacker could have attacked a system using manipulated WLAN SSID names.


I became aware of this vulnerability via the following tweet, which was found at the beginning of 2019.

At Medium a security resarcher describs his findings (unfortunately only readable with registration, the summary can be found here (deleted)). The security researcher has discovered an XSS vulnerability in the Avast Desktop antivirus tool for Windows.

In summary, according to the findings of the security researcher, an attacker could trigger the vulnerability via simple WiFi SSIDs. SSIDs are the names of Wi-Fi networks. The security researcher found that a potential attacker could place a malicious payload in an SSID name. Then, if a Windows system with Avast antivirus installed connects to this network, the antivirus would run the XSS.

The exploit essentially worked due to a feature in the Avast antivirus program for Windows. By default, the program displays a pop-up notification when the device tries to connect to a WiFi network. Because the SSID name was displayed without prior scanning by the antivirus solution, any potential attacker can add a malicious payload (malicious code) to the SSID name. The malicious code would then be executed.


After script execution, the pop-up notification on the Windows system then displays a fake login prompt created by the attacker. The victim believes to have the router's WLAN access login page and enters his or her credentials. The researcher demonstrated the attack in the following video.

(Source: YouTube)

After discovering the vulnerability, security researcher YoKo Kho reported the find to Avast. The company immediately confirmed the error and later confirmed that it was a serious vulnerability. Avast then awarded the security researcher a $5,000 bonus!

The vulnerability affected not only Avast but also AVG. So the bugs were assigned CVE-2019-18653 for Avast and CVE-2019-18654 for AVG. The security vendor has fixed the vulnerability with the release of Avast 19.4.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *