CVE-2021-46872 - Vulnerability Details - OpenCVE

An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Nim-lang	Nim Nimforum

Configuration 1 [-]

OR	cpe:2.3:a:nim-lang:nim::::::::
	cpe:2.3:a:nim-lang:nimforum::::::nim::*

No data.

References

Link	Providers
https://forum.nim-lang.org/t/8852
https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7
https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2
https://github.com/nim-lang/Nim/pull/19134
https://github.com/nim-lang/nimforum

History

Mon, 07 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-13T00:00:00.000Z

Updated: 2025-04-07T19:13:15.282Z

Reserved: 2023-01-13T00:00:00.000Z

Link: CVE-2021-46872

Vulnrichment

Updated: 2024-08-04T05:17:42.923Z

NVD

Status : Modified

Published: 2023-01-13T06:15:10.940

Modified: 2025-04-07T20:15:17.223

Link: CVE-2021-46872

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-46872", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-07T19:13:15.282Z", "dateReserved": "2023-01-13T00:00:00.000Z", "datePublished": "2023-01-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-13T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/nim-lang/nimforum"}, {"url": "https://forum.nim-lang.org/t/8852"}, {"url": "https://github.com/nim-lang/Nim/pull/19134"}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:42.923Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/nim-lang/nimforum", "tags": ["x_transferred"]}, {"url": "https://forum.nim-lang.org/t/8852", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/pull/19134", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T19:12:45.568123Z", "id": "CVE-2021-46872", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T19:13:15.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nim-lang/nimforum", "tags": ["x_transferred"]}, {"url": "https://forum.nim-lang.org/t/8852", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/pull/19134", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:42.923Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-46872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-07T19:12:45.568123Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T19:13:11.130Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/nim-lang/nimforum"}, {"url": "https://forum.nim-lang.org/t/8852"}, {"url": "https://github.com/nim-lang/Nim/pull/19134"}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-13T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2021-46872", "state": "PUBLISHED", "dateUpdated": "2025-04-07T19:13:15.282Z", "dateReserved": "2023-01-13T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-01-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nim-lang:nim:*:*:*:*:*:*:*:*", "matchCriteriaId": "1693ADAF-84A1-4F3D-8C13-C6495A1D91D5", "versionEndExcluding": "1.6.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:nim-lang:nimforum:*:*:*:*:*:nim:*:*", "matchCriteriaId": "FE0421BD-56F6-4822-B2F4-B7B31071BC57", "versionEndExcluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)"}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Nim antes de la versi\u00f3n 1.6.2. El m\u00f3dulo RST del lenguaje Nim stdlib, tal como se usa en NimForum y otros productos, permite el esquema javascript: URI y, por lo tanto, puede conducir a XSS en algunas aplicaciones. (Las versiones 1.6.2 y posteriores de Nim est\u00e1n corregidas; puede haber versiones anteriores de la soluci\u00f3n para algunas versiones anteriores. NimForum 2.2.0 est\u00e1 corregida)."}], "id": "CVE-2021-46872", "lastModified": "2025-04-07T20:15:17.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-13T06:15:10.940", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://forum.nim-lang.org/t/8852"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/pull/19134"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/nimforum"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://forum.nim-lang.org/t/8852"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/pull/19134"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/nimforum"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}