CVE-2019-11354
published 2019-04-19CVE-2019-11354: The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to…
PriorityP357high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
23.13%
97.5th percentile
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ea | origin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for invocation of the Origin2 URI handler (origin2://) with a 'title' parameter containing AngularJS template injection payloads (e.g., {{ }}) which can be used to escape the AngularJS sandbox and achieve RCE. ↗
- →Alert on QDesktopServices handling of origin2:// URIs in EA Origin 10.5.36 on Windows, particularly where the title parameter contains template expression syntax. ↗
- ·The vulnerability is specific to EA Origin version 10.5.36 on Windows; other versions or platforms are not confirmed affected by this CVE. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.phphttp://packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.htmlhttp://packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.htmlhttps://blog.underdogsecurity.com/rce_in_origin_client/https://gizmodo.com/ea-origin-users-update-your-client-now-1834079604https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.htmlhttps://www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clienhttps://www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-clienthttps://www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/https://www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942https://www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/http://gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.phphttp://packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.htmlhttp://packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.htmlhttps://blog.underdogsecurity.com/rce_in_origin_client/https://gizmodo.com/ea-origin-users-update-your-client-now-1834079604https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.htmlhttps://www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clienhttps://www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-clienthttps://www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/https://www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942https://www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/
2019-04-19
Published