CVE-2024-32484 – A reflected cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-32484?

CVE-2024-32484 has a CVSS score of 7.4 (HIGH). A reflected cross-site scripting (XSS) vulnerability in Anki's Flask server allows attackers to execute arbitrary JavaScript by tricking users into opening malicious flashcards. This can lead to arbitrary file reads on the victim's system. Users of Anki 24.04 who open shared flashcards are affected.

📋 TL;DR

A reflected cross-site scripting (XSS) vulnerability in Anki's Flask server allows attackers to execute arbitrary JavaScript by tricking users into opening malicious flashcards. This can lead to arbitrary file reads on the victim's system. Users of Anki 24.04 who open shared flashcards are affected.

💻 Affected Systems

Products:

Ankitects Anki

Versions: 24.04

Operating Systems: All platforms running Anki

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default Flask server configuration when handling invalid paths.

📦 What is this software?

Anki by Ankitects

View all CVEs affecting Anki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker reads sensitive files from user's system, steals session cookies, and performs actions as the user.

🟠

Likely Case

Attacker steals session cookies to hijack accounts or reads local files containing personal data.

🟢

If Mitigated

Limited impact if user doesn't open untrusted flashcards or has strong browser security settings.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (opening malicious flashcard). Technical details and PoC are publicly available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.05 or later

Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995

Restart Required: Yes

Instructions:

1. Update Anki to version 24.05 or later. 2. Restart the application. 3. Verify the update by checking the version in About Anki.

🔧 Temporary Workarounds

Disable Flashcard Sharing

all

Prevent users from opening shared flashcards from untrusted sources.

Use Browser Security Extensions

all

Deploy browser extensions that block reflected XSS attacks.

🧯 If You Can't Patch

Restrict flashcard sharing to trusted sources only.
Educate users about the risks of opening untrusted flashcards.

🔍 How to Verify

Check if Vulnerable:

Check if Anki version is 24.04. If yes, it is vulnerable.

Check Version:

On Anki: Help > About. On command line: anki --version

Verify Fix Applied:

Verify Anki version is 24.05 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to invalid paths in Flask server logs
JavaScript execution in unexpected contexts

Network Indicators:

HTTP requests containing malicious JavaScript payloads in flashcard data

SIEM Query:

source="anki_logs" AND (path="*invalid*" OR message="*JavaScript*" OR status=404)

📊 Metadata

CVE ID: CVE-2024-32484

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-80

Published: July 22, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1995

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32484, you might also want to check these: