CVE-2021-4315: NYUCCL psiTurk IS vulnerable to Improper Neutralization of Special Elements
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.23926%
CWE
Published
1/29/2023
Updated
10/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| psiTurk | pip | < 3.2.1 | 3.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from three connected functions:
- advertisement() and give_consent() handled HTTP requests and passed user-controlled 'mode' parameters
- These functions called insert_mode() which performed unsafe string insertion of the mode value
- The final render_template_string() call processed the modified template with raw user input
Pre-patch code showed direct concatenation of mode parameter into template HTML (e.g., '&mode=' + mode), allowing template engine code injection. The patch replaced this with proper template variable syntax ({{ mode }}) and moved parameter passing to the safe render_template_string context.