Package: anki Version: 2.0.32+dfsg-1 Tags: security In Anki, cards [1] are formatted using HTML and displayed using a web browser control. That browser is not appropriately restricted, for example:
* Script execution is permitted. * Arbitrary file: URLs can be accessed. * Arbitrary http: and https: URLs can be accessed. As a result, a malicious deck may, for example: * Call home any time it is used. * Exfiltrate local files, similar to CVE-2015-4495 [2]. * Take over vulnerable routers and other servers in the same LAN. To reproduce, insert this into a card template: <a href="javascript:alert('Test')">click</a> -> script execution. <img src="file:///path/to/local/file"/> -> local file access. <img src="http://example.com/path/to/remote/file"/> -> remote file access. [1] http://ankisrs.net/docs/manual.html#basics [2] http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/