Flask Server Reflected XSS Vulnerability
CVE-2024-32484

8.2HIGH

Key Information:

Vendor: Ankitects
Status: Anki
Vendor: CVE Published:; 22 July 2024

What is CVE-2024-32484?

A reflected XSS vulnerability has been identified in Ankitects' Anki version 24.04, related to the improper handling of invalid paths within the Flask server framework. This vulnerability can be exploited through specially crafted flashcards, allowing attackers to execute arbitrary JavaScript code. Such an attack could lead to unauthorized file access on the client's machine if the malicious flashcard is shared and opened. The flaw emphasizes the importance of secure coding practices to prevent the injection of harmful scripts into applications.

Affected Version(s)

Anki 24.04

References

https://talosintelligence.com/vulnerability_reports/TALOS...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2024
Vulnerability Reserved
May 6, 2024

Credit

Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B