Eva

**Name of the Vulnerable Software and Affected Versions** Arc versions prior to 2024-08-26 **Description** The issue is related to a remote code execution vulnerability in JavaScript boosts. Normally, boosts running JavaScript cannot be shared by default; however, due to misconfigured Firebase ACLs, it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary JavaScript on that browser in a privileged context. There are no reported affected users. **Recommendations** For Arc versions prior to 2024-08-26, update to a version released after 2024-08-26 to resolve the issue. As a temporary workaround, consider restricting access to JavaScript boosts to minimize the risk of exploitation.