Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Security-Advisories/CVE 2020-15914
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
26 lines (15 sloc)
1.26 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Severity: Important | |
| CVSS Score: 8.2 | |
| Status: Fixed | |
| Affected Software: Origin for Mac & PC version 10.5.86 (or earlier) | |
| CVE ID: CVE-2020-15914 | |
| Description | |
| A cross-site scripting (XSS) vulnerability exists in the Origin Client that could allow a remote attacker to execute arbitrary Javascript in a target user’s Origin client. | |
| An attacker could use this vulnerability to access sensitive data related to the target user’s Origin account, or to control or monitor the Origin text chat window. | |
| Attack Scenario | |
| To successfully leverage the vulnerability, the attacker must log into the Origin Client using a valid Origin account, | |
| and use Origin’s text chat functionality to send a specially crafted text chat message to the affected system. | |
| The crafted message contains a Javascript payload that will execute in the Origin Client, when the client next starts. | |
| If the message is delivered, and the system is not running the Origin Client at that time, the payload will execute when the user next runs the Origin Client. | |
| If the user is already running the Origin client when the message is delivered, the payload will not execute immediately. | |
| The attacker must wait for the user to restart the Origin Client, or otherwise convince the user to restart their Origin Client. |