Talos Vulnerability Report TALOS-2024-1995 Ankitects Anki Flask Invalid Path Reflected Cross-Site Scripting (XSS) vulnerability July 22, 2024 CVE Number CVE-2024-32484 SUMMARY An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability. CONFIRMED VULNERABLE VERSIONS The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor. Ankitects Anki 24.04 PRODUCT URLS Anki – https://apps.ankiweb.net/ CVSSv3 SCORE 7.4 – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CWE CWE-80 – Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) DETAILS Anki is an open-source program that helps with memorization of information through the use of flash cards. It supports syncing of these cards across multiple computers as well as sharing cards with other users. It supports multiple different content types such as images, audio, videos, and scientific notation (via LaTeX). Anki offers users the option to publicy share their decks, and it is normal behaviour to use them; there are no warnings or checks in place to prevent using cards from someone else. A malicious user could share a deck to trigger the following vulnerability. Anki provides an internal flask server to manage the app,…Read More