CVE-2025-43703

EPSS 0.03%
Veröffentlicht 16.04.2025 00:00:00
Zuletzt bearbeitet 09.10.2025 14:56:21
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ankitects ≫ Anki Version <= 25.02

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.071

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
cve@mitre.org	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-830 Inclusion of Web Functionality from an Untrusted Source

The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.

https://github.com/ankitects/anki/pull/3925

Patch

Issue Tracking

https://github.com/ankitects/anki/pull/3925/commits/24bca15fd3d9dc386916509eb2d4862d1184e709

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-43703

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-43703

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-43703

EUVD