Vulnerability Report ID: TALOS-2024-1995 Vulnerability Title: AnkiTects Anki Flask Invalid Path Reflected Cross-Site Scripting (XSS) vulnerability CVE Number: CVE-2024-32484 CVSSv3 Score: 7.4 Affected Version: AnkiTects Anki 24.04 Product URL: https://apps.ankiweb.net/ CWE: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Summary: - An XSS vulnerability exists in handling invalid paths in the Flask server within AnkiTects Anki 24.04. - It can be exploited via a malicious flashcard leading to arbitrary file reads. Timeline: - Vendor Disclosure: 2024-05-27 - Vendor Patch Release: 2024-06-24 - Public Release: 2024-07-22 Discovery Credit: Autumn Bee Skerritt and Jacob B of Cisco Duo Security