Stored XSS in organisation name field in posthog/posthog

Valid

Reported on

Mar 11th 2022

Description

Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed.

Proof of Concept

Just simply create an organisation with the following name: XSS<script>alert(1)</script>.
After saving the organisation, the XSS payload is being executed.

Impact

In a real life scenario, an attacker redirects the user to an external asset, and saves the cookie value of the target with document.cookie() functions.

#Recommendation It is recommended to establish proper input filtering on every user provided data.

We are processing your report and will contact the posthog team within 24 hours. a year ago

We have contacted a member of the posthog team and are waiting to hear back a year ago

We have sent a follow up to the posthog team. We will try again in 7 days. a year ago

A posthog/posthog maintainer validated this vulnerability a year ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

A posthog/posthog maintainer

commented a year ago

I can't confirm the fix via the UI but here's the commit https://github.com/PostHog/posthog/commit/c0a2abd6d721a14ee8cfb7fc9193a12cc04aa729

Jamie Slome marked this as fixed in c0a2abd6d721a14ee8cfb7fc9193a12cc04aa729 with commit c0a2ab a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Jamie Slome

commented a year ago

Admin

I have confirmed the fix for you Tim 👍

Would you like us to go ahead and publish a CVE for this?

Just a heads up that there are also two other outstanding reports here and here.

Jamie Slome

commented a year ago

Admin

I've also gone ahead and created a feature request to make it easier to select fixes on our platform :)

Make it easier to confirm fix commit SHA 👈

to join this conversation

We are processing your report and will contact the posthog team within 24 hours. a year ago

We have contacted a member of the posthog team and are waiting to hear back a year ago

We have sent a follow up to the posthog team. We will try again in 7 days. a year ago

A posthog/posthog maintainer validated this vulnerability a year ago

TheLabda has been awarded the disclosure bounty

The fix bounty is now up for grabs

A posthog/posthog maintainer

commented a year ago

I can't confirm the fix via the UI but here's the commit https://github.com/PostHog/posthog/commit/c0a2abd6d721a14ee8cfb7fc9193a12cc04aa729

Jamie Slome marked this as fixed in c0a2abd6d721a14ee8cfb7fc9193a12cc04aa729 with commit c0a2ab a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Jamie Slome

commented a year ago

Admin

I have confirmed the fix for you Tim 👍

Would you like us to go ahead and publish a CVE for this?

Just a heads up that there are also two other outstanding reports here and here.

Jamie Slome

commented a year ago

Admin

I've also gone ahead and created a feature request to make it easier to select fixes on our platform :)

Make it easier to confirm fix commit SHA 👈

to join this conversation