[Bug 1228222] New: VUL-0: CVE-2024-32484: anki: arbitrary file read through reflected XSS when handling invalid paths in the Flask server
https://bugzilla.suse.com/show_bug.cgi?id=1228222 Bug ID: 1228222 Summary: VUL-0: CVE-2024-32484: anki: arbitrary file read through reflected XSS when handling invalid paths in the Flask server Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/414904/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: mvetter@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- An reflected XSS vulnerability exists in the handling of invalid paths in the Flask server in Ankitects Anki 24.04. A specially crafted flashcard can lead to JavaScript code execution and result in an arbitrary file read. An attacker can share a malicious flashcard to trigger this vulnerability. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-32484 https://www.cve.org/CVERecord?id=CVE-2024-32484 https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228222 SMASH SMASH <smash_bz@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1228222 https://bugzilla.suse.com/show_bug.cgi?id=1228222#c2 Michael Vetter <mvetter@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|mvetter@suse.com |security-team@suse.de --- Comment #2 from Michael Vetter <mvetter@suse.com> --- I think I can't really help with this. I only touched the Anki package once, in 2019. Our versio is 2.1.13 from May 2019. And the current upstream version is 24.06.3 and even though the version schema changed we are A LOT of versions behind. I believe the reason for this is that a long time ago Anki changed something which made it super annoying to package it. I don't remember the details anymore but remember that I was quite annoyed at something and after my once contribution decided not to contribute anymore. I believe more distro packagers felt that way since we can see that several other distros are also quite behind in their packaging of Anki. Fedora and Debian got stuck at 2.1.15 as well. Sadly I have to recommend that people use the flatpak version of it. As for fixing these bugs I'm not sure who could do it or whether it's possible to remove Anki from 15.6 repos.. Luckily it's only in `Education` and not in Factory anymore. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com