CVE-2021-46872

An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nim-lang:nim:*:*:*:*:*:*:*:*
cpe:2.3:a:nim-lang:nimforum:*:*:*:*:*:nim:*:*

History

21 Nov 2024, 06:34

Type Values Removed Values Added
References () https://forum.nim-lang.org/t/8852 - Issue Tracking, Vendor Advisory () https://forum.nim-lang.org/t/8852 - Issue Tracking, Vendor Advisory
References () https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7 - Patch, Third Party Advisory () https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7 - Patch, Third Party Advisory
References () https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2 - Third Party Advisory () https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2 - Third Party Advisory
References () https://github.com/nim-lang/Nim/pull/19134 - Patch, Third Party Advisory () https://github.com/nim-lang/Nim/pull/19134 - Patch, Third Party Advisory
References () https://github.com/nim-lang/nimforum - Third Party Advisory () https://github.com/nim-lang/nimforum - Third Party Advisory
Summary
  • (es) Se descubrió un problema en Nim antes de la versión 1.6.2. El módulo RST del lenguaje Nim stdlib, tal como se usa en NimForum y otros productos, permite el esquema javascript: URI y, por lo tanto, puede conducir a XSS en algunas aplicaciones. (Las versiones 1.6.2 y posteriores de Nim están corregidas; puede haber versiones anteriores de la solución para algunas versiones anteriores. NimForum 2.2.0 está corregida).

Information

Published : 2023-01-13 06:15

Updated : 2024-11-21 06:34


NVD link : CVE-2021-46872

Mitre link : CVE-2021-46872

CVE.ORG link : CVE-2021-46872


JSON object : View

Products Affected

nim-lang

  • nimforum
  • nim
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')