CVE-2024-29073
MEDIUMAnki < 24.6 - Arbitrary File Read via Latex Verbatim Package
Title source: llmDescription
An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1992
Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1992
Scores
CVSS v3
5.3
EPSS
0.1047
EPSS Percentile
95.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-829
Status
published
Products (2)
ankiweb/anki
24.04
pypi/anki
0 - 24.6PyPI
Published
Jul 22, 2024
Tracked Since
Feb 18, 2026