NLTK WordNet Browser Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the NLTK (Natural Language Toolkit) WordNet Browser application, specifically in versions 3.9.3 and prior. The issue arises in the 'lookup_' route of 'nltk.app.wordnet_app', where attacker-controlled 'word' data is reflected into the response page without proper HTML escaping. This vulnerability affects users running the local WordNet Browser server, potentially leading to the execution of arbitrary JavaScript in the browser context of the application.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the local WordNet Browser application. This could involve running scripts in the browser tab, manipulating the displayed content, making same-origin requests to other WordNet Browser routes, or triggering available UI actions within that local app context.

Reproduction

To reproduce this vulnerability, start the WordNet Browser application in an isolated Docker environment. After the application is running, send a request to the 'lookup_' route with a crafted payload that includes unescaped HTML, such as a script tag. The injected script will be executed in the context of the WordNet Browser.

Remediation

Users can update to NLTK version 3.9.4 or later, where this vulnerability has been fixed.