CVE-2020-15914
Description
Cross-site scripting in Origin Client ≤10.5.86 allows remote attacker to execute JS via crafted chat message, accessing account data or controlling chat.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in Origin Client ≤10.5.86 allows remote attacker to execute JS via crafted chat message, accessing account data or controlling chat.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Origin Client for Mac and PC version 10.5.86 or earlier. The flaw resides in the chat message handling, allowing arbitrary JavaScript injection via a specially crafted text chat message. The vulnerable code path is triggered when the client starts and processes queued messages [1].
Exploitation
To exploit, an attacker must have a valid Origin account and be on the target user's friends list. The attacker sends a crafted message containing JavaScript via Origin's text chat. The payload does not execute immediately if the user is currently running Origin; instead, it will execute when the client next starts. If the user is not running Origin, the payload executes on the next launch. An alternative is to convince the user to restart Origin [1].
Impact
Successful exploitation allows arbitrary JavaScript execution in the Origin client. The attacker can access sensitive data related to the target's Origin account and control or monitor the Origin text chat window [1].
Mitigation
The vulnerability is fixed in an update to the Origin Client. EA has released a fix, though the specific fixed version is not disclosed in the advisory. Users should ensure their Origin Client is up to date to mitigate the risk [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Origin/Origin Clientdescription
- Range: <=10.5.86
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- github.com/Monairy/Security-Advisories/blob/master/CVE%202020-15914mitrex_refsource_MISC
- www.ea.com/security/news/easec-2020-003-cross-site-scripting-vulnerability-in-origin-clientmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.