Lucene search
GoogleOSV:GHSA-8775-5HWV-WR6VHistoryMay 22, 2023 - 8:35 p.m.
Potential for cross-site scripting in PostHog-js
2023-05-2220:35:03
Google
osv.dev
9
cross-site scripting
posthog-js
patched version
content security policy
html tracking snippet
posthog cloud
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
0.001
Percentile
32.5%
Impact
Potential for cross-site scripting in posthog-js.
Patches
The problem has been patched in posthog-js version 1.57.2.
Workarounds
- This isn’t an issue for sites that have a Content Security Policy in place.
- Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version.
References
We will publish details of the vulnerability in 30 days as per our security policy.
Related
cvelist
cvelist
CVE-2023-32325 Cross-site scripting in PostHog-js
2023-05-26 23:00:17
veracode
veracode
Cross-site Scripting (XSS)
2023-05-24 01:44:56
prion
prion
Cross site scripting
2023-05-27 00:15:00
nvd
nvd
CVE-2023-32325
2023-05-27 00:15:09
osv
osv
CVE-2023-32325
2023-05-27 00:15:09
github
github
Potential for cross-site scripting in PostHog-js
2023-05-22 20:35:03
cve
cve
CVE-2023-32325
2023-05-27 00:15:09
CVSS3
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
0.001
Percentile
32.5%
Related for OSV:GHSA-8775-5HWV-WR6V