Dominik Picheta

4 exploits Active since Jan 2021
CVE-2020-15690 WRITEUP CRITICAL WRITEUP
nim < 1.2.6 - CRLF Injection in asyncftpclient
In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character.
CVSS 9.8
CVE-2021-21372 WRITEUP HIGH WRITEUP
Nim < 1.2.10 - Remote Code Execution via Nimble doCmd Command Injection
Nimble is a package manager for the Nim programming language. In Nim release version before versions 1.2.10 and 1.4.4, Nimble doCmd is used in different places and can be leveraged to execute arbitrary commands. An attacker can craft a malicious entry in the packages.json package list to trigger code execution.
CVSS 8.3
CVE-2021-46872 WRITEUP MEDIUM WRITEUP
Nim < 1.6.2 - Cross-Site Scripting via RST Module
An issue was discovered in Nim before 1.6.2. The RST module of the Nim language stdlib, as used in NimForum and other products, permits the javascript: URI scheme and thus can lead to XSS in some applications. (Nim versions 1.6.2 and later are fixed; there may be backports of the fix to some earlier versions. NimForum 2.2.0 is fixed.)
CVSS 6.1
CVE-2022-23602 WRITEUP HIGH WRITEUP
nim-lang/nimforum < 2.2.0 - Path Traversal via Include Directive
Nimforum is a lightweight alternative to Discourse written in Nim. In versions prior to 2.2.0 any forum user can create a new thread/post with an include referencing a file local to the host operating system. Nimforum will render the file if able. This can also be done silently by using NimForum's post "preview" endpoint. Even if NimForum is running as a non-critical user, the forum.json secrets can be stolen. Version 2.2.0 of NimForum includes patches for this vulnerability. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue.
CVSS 7.7