{"id":"CVE-2020-15692","details":"In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands.","modified":"2026-04-10T04:23:13.455497Z","published":"2020-08-14T19:15:12.317Z","related":["openSUSE-SU-2022:10095-1","openSUSE-SU-2022:10101-1","openSUSE-SU-2024:12253-1"],"references":[{"type":"ADVISORY","url":"https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html"},{"type":"FIX","url":"https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/browsers.nim#L48"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2021/02/04/1"},{"type":"EVIDENCE","url":"https://consensys.net/diligence/vulnerabilities/nim-browsers-argument-injection/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nim-lang/nim","events":[{"introduced":"0"},{"last_affected":"bf320ed172f74f60fd274338e82bdc9ce3520dd9"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.6"}]}}],"versions":["v0.10.2","v0.11.0","v0.11.2","v0.12.0","v0.13.0","v0.14.0","v0.14.2","v0.15.0","v0.15.2","v0.16.0","v0.17.0","v0.17.2","v0.18.0","v0.19.0","v0.20.0","v0.8.14","v0.9.0","v0.9.2","v0.9.4","v1.0.0","v1.2.0","v1.2.2","v1.2.4","v1.2.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15692.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}