Vulnerability Description
An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nim-Lang | Nim | < 1.6.2 |
| Nim-Lang | Nimforum | < 2.2.0 |
Related Weaknesses (CWE)
References
- https://forum.nim-lang.org/t/8852Issue TrackingVendor Advisory
- https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7PatchThird Party Advisory
- https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2Third Party Advisory
- https://github.com/nim-lang/Nim/pull/19134PatchThird Party Advisory
- https://github.com/nim-lang/nimforumThird Party Advisory
- https://forum.nim-lang.org/t/8852Issue TrackingVendor Advisory
- https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7PatchThird Party Advisory
- https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2Third Party Advisory
- https://github.com/nim-lang/Nim/pull/19134PatchThird Party Advisory
- https://github.com/nim-lang/nimforumThird Party Advisory
FAQ
What is CVE-2021-46872?
CVE-2021-46872 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some appl...
How severe is CVE-2021-46872?
CVE-2021-46872 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-46872?
Check the references section above for vendor advisories and patch information. Affected products include: Nim-Lang Nim, Nim-Lang Nimforum.