QwikSec

Security Database

CVE

CWE

Training

CVE-2019-11354

Published: Apr 19, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://blog.underdogsecurity.com/rce_in_origin_client/

x_refsource_MISC

https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/

x_refsource_MISC

http://gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.php

x_refsource_MISC

https://www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/

x_refsource_MISC

https://gizmodo.com/ea-origin-users-update-your-client-now-1834079604

x_refsource_MISC

https://www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clien

x_refsource_MISC

https://www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-client

x_refsource_MISC

https://www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942

x_refsource_MISC

https://www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/

x_refsource_MISC

https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.html

x_refsource_MISC

http://packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.html

x_refsource_MISC

http://packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.