Products
Anki
- 24.04
Source
talos-cna@cisco.com
Tags
CVE-2024-32484 details
Published : July 22, 2024, 3:15 p.m.
Last Modified : July 22, 2024, 5:15 p.m.
Last Modified : July 22, 2024, 5:15 p.m.
Description
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7.4 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
7.4
Exploitability Score
2.8
Impact Score
4.0
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
References
URL | Source |
---|---|
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995 | talos-cna@cisco.com |
This website uses the NVD API, but is not approved or certified by it.