GHSA-cw6h-ffmh-x6vh: Anki: User scripts in iframes have access to the internal Anki API
Anki’s webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API (https://github.com/ankitects/anki/pull/3925) but it inadvertently allows access to scripts included via iframes in the editor. While overall only a limited set of API methods are exposed, some such as getImageForOcclusion can read arbitrary files.
CWE: CWE-22 (Path Traversal) Reporter: Bankde (Eakasit)
References
Code Behaviors & Features
Detect and mitigate GHSA-cw6h-ffmh-x6vh with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →