CVE-2021-46872 - Vulnerability Details - OpenCVE

An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00637.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Nim-lang	Nim Nimforum

Configuration 1 [-]

OR	cpe:2.3:a:nim-lang:nim::::::::
	cpe:2.3:a:nim-lang:nimforum::::::nim::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2021-33525	An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://forum.nim-lang.org/t/8852
https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7
https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2
https://github.com/nim-lang/Nim/pull/19134
https://github.com/nim-lang/nimforum

History

Mon, 07 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-13T00:00:00.000Z

Updated: 2025-04-07T19:13:15.282Z

Reserved: 2023-01-13T00:00:00.000Z

Link: CVE-2021-46872

Vulnrichment

Updated: 2024-08-04T05:17:42.923Z

NVD

Status : Modified

Published: 2023-01-13T06:15:10.940

Modified: 2025-04-07T20:15:17.223

Link: CVE-2021-46872

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-46872", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-04-07T19:13:15.282Z", "dateReserved": "2023-01-13T00:00:00.000Z", "datePublished": "2023-01-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-13T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/nim-lang/nimforum"}, {"url": "https://forum.nim-lang.org/t/8852"}, {"url": "https://github.com/nim-lang/Nim/pull/19134"}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:42.923Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/nim-lang/nimforum", "tags": ["x_transferred"]}, {"url": "https://forum.nim-lang.org/t/8852", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/pull/19134", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-07T19:12:45.568123Z", "id": "CVE-2021-46872", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T19:13:15.282Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nim-lang/nimforum", "tags": ["x_transferred"]}, {"url": "https://forum.nim-lang.org/t/8852", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/pull/19134", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2", "tags": ["x_transferred"]}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T05:17:42.923Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2021-46872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-07T19:12:45.568123Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-07T19:13:11.130Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/nim-lang/nimforum"}, {"url": "https://forum.nim-lang.org/t/8852"}, {"url": "https://github.com/nim-lang/Nim/pull/19134"}, {"url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-13T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2021-46872", "state": "PUBLISHED", "dateUpdated": "2025-04-07T19:13:15.282Z", "dateReserved": "2023-01-13T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-01-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nim-lang:nim:*:*:*:*:*:*:*:*", "matchCriteriaId": "1693ADAF-84A1-4F3D-8C13-C6495A1D91D5", "versionEndExcluding": "1.6.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:nim-lang:nimforum:*:*:*:*:*:nim:*:*", "matchCriteriaId": "FE0421BD-56F6-4822-B2F4-B7B31071BC57", "versionEndExcluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)"}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Nim antes de la versi\u00f3n 1.6.2. El m\u00f3dulo RST del lenguaje Nim stdlib, tal como se usa en NimForum y otros productos, permite el esquema javascript: URI y, por lo tanto, puede conducir a XSS en algunas aplicaciones. (Las versiones 1.6.2 y posteriores de Nim est\u00e1n corregidas; puede haber versiones anteriores de la soluci\u00f3n para algunas versiones anteriores. NimForum 2.2.0 est\u00e1 corregida)."}], "id": "CVE-2021-46872", "lastModified": "2025-04-07T20:15:17.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-01-13T06:15:10.940", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://forum.nim-lang.org/t/8852"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/pull/19134"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/nimforum"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://forum.nim-lang.org/t/8852"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/commit/46275126b89218e64844eee169e8ced05dd0e2d7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/compare/v1.6.0...v1.6.2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nim-lang/Nim/pull/19134"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nim-lang/nimforum"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}