Описание
Potential for cross-site scripting in PostHog-js
Impact
Potential for cross-site scripting in posthog-js.
Patches
The problem has been patched in posthog-js version 1.57.2.
Workarounds
- This isn't an issue for sites that have a Content Security Policy in place.
- Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version.
References
We will publish details of the vulnerability in 30 days as per our security policy.
Пакеты
Наименование
posthog-js
npm
Затронутые версииВерсия исправления
< 1.57.2
1.57.2
Связанные уязвимости
CVSS3: 5.4
nvd
больше 2 лет назад
PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.