Lucene search

[email protected]NVD:CVE-2019-11354

HistoryApr 19, 2019 - 10:29 p.m.

CVE-2019-11354

2019-04-1922:29:00

CWE-74

[email protected]

web.nvd.nist.gov

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.492 Medium

EPSS

Percentile

97.5%

JSON

The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication.

Affected configurations

NVD

Node

eaoriginMatch10.5.36windows

References

gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.php

packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.html

packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.html

blog.underdogsecurity.com/rce_in_origin_client/

gizmodo.com/ea-origin-users-update-your-client-now-1834079604

techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/

www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.html

www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clien

www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-client

www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/

www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942

www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.492 Medium

EPSS

Percentile

97.5%

JSON

Related for NVD:CVE-2019-11354

zdt2 prion1 packetstorm3 checkpoint_advisories1 cve1 cvelist1 myhack581 exploitpack1 exploitdb1