Lucene search
GitHub Advisory DatabaseGHSA-8775-5HWV-WR6VHistoryMay 22, 2023 - 8:35 p.m.
Potential for cross-site scripting in PostHog-js
2023-05-2220:35:03
CWE-79
GitHub Advisory Database
github.com
13
cross-site scripting
posthog-js
patched
content security policy
vulnerability
security policy
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
0.001
Percentile
32.5%
Impact
Potential for cross-site scripting in posthog-js.
Patches
The problem has been patched in posthog-js version 1.57.2.
Workarounds
- This isn’t an issue for sites that have a Content Security Policy in place.
- Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version.
References
We will publish details of the vulnerability in 30 days as per our security policy.
Affected configurations
Node
posthogposthog-jsRange<1.57.2
| Vendor | Product | Version | CPE |
|---|---|---|---|
| posthog | posthog-js | * | cpe:2.3:a:posthog:posthog-js:*:*:*:*:*:*:*:* |
Related
cvelist
cvelist
CVE-2023-32325 Cross-site scripting in PostHog-js
2023-05-26 23:00:17
veracode
veracode
Cross-site Scripting (XSS)
2023-05-24 01:44:56
prion
prion
Cross site scripting
2023-05-27 00:15:00
nvd
nvd
CVE-2023-32325
2023-05-27 00:15:09
osv
osv
Potential for cross-site scripting in PostHog-js
2023-05-22 20:35:03
CVE-2023-32325
2023-05-27 00:15:09
cve
cve
CVE-2023-32325
2023-05-27 00:15:09
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
0.001
Percentile
32.5%
Related for GHSA-8775-5HWV-WR6V