Security researcher YoKo Kho was recently awarded $5,000 for discovering an XSS (cross site scripting) vulnerability within Avast Anti-Virus for Windows desktop devices. Normally this would not be an issue for desktop applications, but Avast appears to be rendering HTML in at least some portions of their product. Avast has a prompt for when a user connects to a new wireless network that will display the SSID (name) of that network. Without proper sanitization, it’s possible to set a network name to a short snippet of HTML that Avast will then try to display as part of its own application. This could give an attacker the ability to do things like showing a popup on the victim’s machine or displaying a login form on the network connection prompt from Avast.
Analyst Notes
: It’s never a good idea to connect to an unfamiliar network. On top of this particular vulnerability from Avast caused by seeing HTML in the network name, end-users should not expect any form of privacy or security from connecting to unknown, open networks. Whenever possible, all software (especially anti-virus products!) should be kept up-to-date in hopes of fixing any issues like this one that may exist.
Source: https://medium.com/bugbountywriteup/5-000-usd-xss-issue-at-avast-desktop-antivirus-for-windows-yes-desktop-1e99375f0968
