Stored XSS in organisation name field in posthog/posthog


Reported on

Mar 11th 2022


Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed.

Proof of Concept

Just simply create an organisation with the following name: XSS<script>alert(1)</script>.
After saving the organisation, the XSS payload is being executed.


In a real life scenario, an attacker redirects the user to an external asset, and saves the cookie value of the target with document.cookie() functions.

#Recommendation It is recommended to establish proper input filtering on every user provided data.

We are processing your report and will contact the posthog team within 24 hours. 2 months ago
We have contacted a member of the posthog team and are waiting to hear back 2 months ago
We have sent a follow up to the posthog team. We will try again in 7 days. 2 months ago
posthog/posthog maintainer validated this vulnerability 2 months ago
TheLabda has been awarded the disclosure bounty
The fix bounty is now up for grabs
posthog/posthog maintainer
2 months ago


I can't confirm the fix via the UI but here's the commit

Jamie Slome confirmed that a fix has been merged on c0a2ab 2 months ago
The fix bounty has been dropped
Jamie Slome
2 months ago


I have confirmed the fix for you Tim 👍

Would you like us to go ahead and publish a CVE for this?

Just a heads up that there are also two other outstanding reports here and here.

Jamie Slome
2 months ago


I've also gone ahead and created a feature request to make it easier to select fixes on our platform :)

Make it easier to confirm fix commit SHA 👈

to join this conversation