Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8775-5hwv-wr6v: Potential for cross-site scripting in PostHog-js

Impact

Potential for cross-site scripting in posthog-js.

Patches

The problem has been patched in posthog-js version 1.57.2.

Workarounds

  • This isn’t an issue for sites that have a Content Security Policy in place.
  • Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version.

References

We will publish details of the vulnerability in 30 days as per our security policy.

ghsa
Open in Source
#xss#vulnerability#js#git

Potential for cross-site scripting in PostHog-js

Moderate severity GitHub Reviewed Published May 22, 2023 in PostHog/posthog-js • Updated May 22, 2023

Related news

CVE-2023-32325: fix: Remove API and JS urls (#630) · PostHog/posthog-js@67e07eb

PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.

ghsa: Latest News

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability
ghsa