CVE-2024-29073

Published Jul 22, 2024

Last updated 2 months ago

CVSS medium 6.5

Overview

Description: An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability.
Source: talos-cna@cisco.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

nvd@nist.gov: CWE-829
talos-cna@cisco.com: CWE-829

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ankiweb:anki:24.04:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C8691462-990E-4992-A762-5D4163718EF4"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References