Stored XSS in organisation name field in posthog/posthog
Mar 11th 2022
Upon a user creates a new organisation and invites members, by opening the invitation, the XSS payload is being executed.
Proof of Concept
Just simply create an organisation with the following name: XSS<script>alert(1)</script>. After saving the organisation, the XSS payload is being executed.
In a real life scenario, an attacker redirects the user to an external asset, and saves the cookie value of the target with document.cookie() functions.
#Recommendation It is recommended to establish proper input filtering on every user provided data.