PT-2020-14587 · Nim+1 · Nim+1

Tintinweb

Published

2020-08-14

Updated

2024-06-15

CVE-2020-15692

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nim version 1.2.4

Description The standard library browsers in Nim mishandle the URL argument to browsers.openDefaultBrowser(), allowing an attacker to pass an argument to the underlying open command and execute arbitrary registered system commands. This can occur when the URL argument is a local file path that will be opened in the default explorer.

Recommendations For Nim version 1.2.4, consider disabling the browsers.openDefaultBrowser() function until a patch is available to prevent exploitation. Restrict access to the browsers module to minimize the risk of arbitrary command execution. Avoid using the openDefaultBrowser function with untrusted input until the issue is resolved.

Exploit

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88

Related Identifiers

ALT-PU-2020-3173

CVE-2020-15692

OPENSUSE-SU-2022:10095-1

OPENSUSE-SU-2022:10101-1

OPENSUSE-SU-2024:12253-1

Affected Products

Alt Linux

Nim

PT-2020-14587 · Nim+1 · Nim+1

CVE-2020-15692

Weakness Enumeration

Related Identifiers

Affected Products

References · 35