8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4315

GHSA ID

GHSA-9mq4-9556-6qxq

EPSS Score

0.23926%

CWE

CWE-94

Published

1/29/2023

Updated

10/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-4315

CVE-2021-4315: NYUCCL psiTurk IS vulnerable to Improper Neutralization of Special Elements

A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.1 is able to address this issue. The name of the patch is 47787e15cecd66f2aa87687bf852ae0194a4335f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-219676.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4315

GHSA ID

GHSA-9mq4-9556-6qxq

EPSS Score

0.23926%

CWE

CWE-94

Published

1/29/2023

Updated

10/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
psiTurk	pip	< 3.2.1	3.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three connected functions:

advertisement() and give_consent() handled HTTP requests and passed user-controlled 'mode' parameters
These functions called insert_mode() which performed unsafe string insertion of the mode value
The final render_template_string() call processed the modified template with raw user input

Pre-patch code showed direct concatenation of mode parameter into template HTML (e.g., '&mode=' + mode), allowing template engine code injection. The patch replaced this with proper template variable syntax ({{ mode }}) and moved parameter passing to the safe render_template_string context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in NYU**L psiTurk up to *.*.* *n* *l*ssi*i** *s *riti**l. T*is vuln*r**ility *****ts unknown *o** o* t** *il* psiturk/*xp*rim*nt.py. T** m*nipul*tion o* t** *r*um*nt mo** l***s to improp*r n*utr*liz*tion o* sp**i*l *l*m

Reasoning

T** vuln*r**ility st*ms *rom t*r** *onn**t** *un*tions: *. **v*rtis*m*nt() *n* *iv*_*ons*nt() **n*l** *TTP r*qu*sts *n* p*ss** us*r-*ontroll** 'mo**' p*r*m*t*rs *. T**s* *un*tions **ll** ins*rt_mo**() w*i** p*r*orm** uns*** strin* ins*rtion o* t** mo

8.8

Basic Information

Concerned about an active attack path?

CVE-2021-4315: NYUCCL psiTurk IS vulnerable to Improper Neutralization of Special Elements

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI