Inclusion of Web Functionality from an Untrusted Source

CVE-2025-43703

Medium

5.4/10

Summary

An issue was discovered in Ankitects Anki through 25.2. A crafted shared deck can result in attacker-controlled access to the internal API (even though the attacker has no knowledge of an API key) through approaches such as scripts or the SRC attribute of an IMG element. The underlying issue is present in the package "aqt", which is a sub package of "Anki".

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-830 - Inclusion of Web Functionality from an Untrusted Source

The software includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the software, potentially granting total access and control of the software to the untrusted source.

References

Advisory
Pull request

Advisory Timeline

Published Apr 16, 2025

Inclusion of Web Functionality from an Untrusted Source

CVE-2025-43703

Summary

CWE-830 - Inclusion of Web Functionality from an Untrusted Source

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS