CVE-2024-32484
HIGHAnki 24.04 - Reflected Cross-Site Scripting via Invalid Path Handling
Title source: llmDescription
An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995
Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1995
Scores
CVSS v3
7.4
EPSS
0.2392
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-80
CWE-79
Status
published
Products (1)
ankitects/anki
24.04
Published
Jul 22, 2024
Tracked Since
Feb 18, 2026