Taguette is an open source qualitative research tool. In versions 1.5.1 and below, attackers can craft malicious URLs that redirect users to arbitrary external websites after authentication. The application accepts a user-controlled next parameter and uses it directly in HTTP redirects without any validation. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance but are redirected to a malicious site designed to steal credentials or deliver malware. This issue is fixed in version 1.5.2.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| taguette(PyPI) | 0 | 1.5.2 | N/A |
CVSS Metrics
