Leduckhuong

**Name of the Vulnerable Software and Affected Versions** NLTK versions 3.9.3 and prior **Description** NLTK’s `nltk.app.wordnet app` component allows unauthenticated remote shutdown of the local WordNet Browser HTTP server when started in its default mode. A simple `GET /SHUTDOWN%20THE%20SERVER` request to the ''/SHUTDOWN%20THE%20SERVER'' API endpoint causes the process to terminate immediately via the `os. exit(0)` function, resulting in a denial of service. The vulnerable logic resides in the `nltk/app/wordnet app.py` file, specifically in the `MyServerHandler` class. The server listens on all interfaces and checks for the exact path `SHUTDOWN THE SERVER`. When the `server mode` is set to `False` (the default), the handler directly terminates the process. **Recommendations** Versions prior to 3.9.3 should be updated to a newer version that includes the fix.

**Name of the Vulnerable Software and Affected Versions** NLTK versions 3.9.3 and prior **Description** NLTK (Natural Language Toolkit) contains a reflected cross-site scripting (XSS) issue in the `lookup ...` route of `nltk.app.wordnet app`. A crafted `lookup <payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without proper escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. The issue is exploitable because `Reference.decode()` accepts attacker-controlled base64-encoded pickle data for the URL state, and the decoded `word` is reflected into HTML without escaping. The vulnerable code is located in `nltk/app/wordnet app.py` at lines 144, 755, 769, and 796. The API endpoint affected is `/lookup <payload>`. The vulnerable parameter is `word`. **Recommendations** Versions prior to 3.9.3 should be updated to address this issue.