CVE-2019-11354 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Vendor	Product	Version
ea	origin	10.5.36

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

http://gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.php

http://packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.html

http://packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.html

https://blog.underdogsecurity.com/rce_in_origin_client/

https://gizmodo.com/ea-origin-users-update-your-client-now-1834079604

https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/

https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.html

https://www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clien

https://www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-client

https://www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/

https://www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942

https://www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/

http://gamasutra.com/view/news/340907/A_nowfixed_Origin_vulnerability_potentially_opened_the_client_to_hackers.php

http://packetstormsecurity.com/files/153375/dotProject-2.1.9-SQL-Injection.html

http://packetstormsecurity.com/files/153485/EA-Origin-Template-Injection-Remote-Code-Execution.html

https://blog.underdogsecurity.com/rce_in_origin_client/

https://gizmodo.com/ea-origin-users-update-your-client-now-1834079604

https://techcrunch.com/2019/04/16/ea-origin-bug-exposed-hackers/

https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per-link-aus-1904-140738.html

https://www.pcmag.com/news/367801/security-flaw-allowed-any-app-to-run-using-eas-origin-clien

https://www.techradar.com/news/major-security-flaw-found-in-ea-origin-gaming-client

https://www.thesun.co.uk/tech/8877334/sims-4-battlefield-fifa-origin-hackers/

https://www.trustedreviews.com/news/time-update-origin-eas-game-client-security-risk-just-installed-3697942

https://www.vg247.com/2019/04/17/ea-origin-security-flaw-run-malicious-code-fixed/