Vulnerability Details CVE-2020-8987
Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.4%
CVSS Severity
CVSS v3 Score 7.4
CVSS v2 Score 5.8
References
- https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast
- https://www.davideade.com/2020/03/avast-antitrack.html
- https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast
- https://www.davideade.com/2020/03/avast-antitrack.html
Products affected by CVE-2020-8987
-
cpe:2.3:a:avast:antitrack:-
-
cpe:2.3:a:avast:avg_antitrack:-