CVE-2024-45489
CRITICALArc < 2024-08-26 - Remote Code Execution via Misconfigured Firebase ACLs
Title source: llmDescription
Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users.
References (3)
Core 3
Core References
Various Sources
https://arc.net/blog/CVE-2024-45489-incident-response
Various Sources
https://kibty.town/blog/arc/
Various Sources
https://news.ycombinator.com/item?id=41597250
Scores
CVSS v3
9.8
EPSS
0.0124
EPSS Percentile
65.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
Status
published
Published
Sep 20, 2024
Tracked Since
Feb 18, 2026