Code Injection in Origin Client - CVE-2019-11354
Published: April 20, 2019 / Updated: June 17, 2021
Vulnerability identifier: #VU35984
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2019-11354
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Electronic Arts
Affected software:
Origin Client
Origin Client
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication.
How to mitigate CVE-2019-11354
Install update from vendor's website.
Sources
- http://gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.php
- http://packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.html
- http://packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.html
- https://blog.underdogsecurity.com/rce_in_origin_client/
- https://gizmodo.com/ea-origin-users-update-your-client-now-1834079604
- https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/
- https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.html
- https://www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clien
- https://www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-client
- https://www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/
- https://www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942
- https://www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/