Stored XSS in organisation name field in posthog/posthog


Reported on

Mar 11th 2022


Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed.

Proof of Concept

Just simply create an organisation with the following name: XSS<script>alert(1)</script>.
After saving the organisation, the XSS payload is being executed.


In a real life scenario, an attacker redirects the user to an external asset, and saves the cookie value of the target with document.cookie() functions.

#Recommendation It is recommended to establish proper input filtering on every user provided data.

We are processing your report and will contact the posthog team within 24 hours. a year ago
We have contacted a member of the posthog team and are waiting to hear back a year ago
We have sent a follow up to the posthog team. We will try again in 7 days. a year ago
posthog/posthog maintainer validated this vulnerability a year ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
posthog/posthog maintainer
a year ago

I can't confirm the fix via the UI but here's the commit

Jamie Slome marked this as fixed in c0a2abd6d721a14ee8cfb7fc9193a12cc04aa729 with commit c0a2ab a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Jamie Slome
a year ago


I have confirmed the fix for you Tim 👍

Would you like us to go ahead and publish a CVE for this?

Just a heads up that there are also two other outstanding reports here and here.

Jamie Slome
a year ago


I've also gone ahead and created a feature request to make it easier to select fixes on our platform :)

Make it easier to confirm fix commit SHA 👈

to join this conversation