| Name | CVE-2025-43703 |
| Description | An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. NOTE: this issue exists because of an incomplete fix for CVE-2024-32484. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| anki (PTS) | bullseye | 2.1.15+dfsg-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| anki | source | (unstable) | (not affected) | | | |
Notes
- anki <not-affected> (Incomplete fix for CVE-2024-32484 not applied)
https://github.com/ankitects/anki/pull/3925
Issue exists because of an incomplete fix for CVE-2024-32484