Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    14 vulnerabilities by PostHog

    CVE-2025-1522 (GCVE-0-2025-1522)

    Vulnerability from nvd – Published: 2025-04-23 16:45 – Updated: 2025-04-23 18:30
    VLAI
    Title
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability
    Summary
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-25358.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e
    Create a notification for this product.
    Date Public
    2025-02-25 13:22
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1522",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T18:30:22.547093Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:30:31.914Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e"
                }
              ]
            }
          ],
          "dateAssigned": "2025-02-20T20:51:29.162Z",
          "datePublic": "2025-02-25T13:22:27.928Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-25358."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-23T16:45:44.643Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-25-097",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-097/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/commit/3732c0fd9551ed29521b58611bf1e44d918c1032"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2025-1522",
        "datePublished": "2025-04-23T16:45:44.643Z",
        "dateReserved": "2025-02-20T20:51:29.139Z",
        "dateUpdated": "2025-04-23T18:30:31.914Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1521 (GCVE-0-2025-1521)

    Vulnerability from nvd – Published: 2025-04-23 16:45 – Updated: 2025-04-23 18:10
    VLAI
    Title
    PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability
    Summary
    PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of the slack_incoming_webhook parameter. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25352.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e
    Create a notification for this product.
    Date Public
    2025-02-25 13:22
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1521",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T18:10:16.442509Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:10:39.906Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e"
                }
              ]
            }
          ],
          "dateAssigned": "2025-02-20T20:51:21.085Z",
          "datePublic": "2025-02-25T13:22:10.064Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the processing of the slack_incoming_webhook parameter. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25352."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-23T16:45:32.855Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-25-096",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-096/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/commit/6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2025-1521",
        "datePublished": "2025-04-23T16:45:32.855Z",
        "dateReserved": "2025-02-20T20:51:21.063Z",
        "dateUpdated": "2025-04-23T18:10:39.906Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1520 (GCVE-0-2025-1520)

    Vulnerability from nvd – Published: 2025-04-23 16:45 – Updated: 2025-04-23 18:13
    VLAI
    Title
    PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability
    Summary
    PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e, clickhouse 23.12.6.19-alpine
    Create a notification for this product.
    Date Public
    2025-02-25 23:21
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1520",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T18:13:15.488980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:13:52.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e, clickhouse 23.12.6.19-alpine"
                }
              ]
            }
          ],
          "dateAssigned": "2025-02-20T20:51:11.411Z",
          "datePublic": "2025-02-25T23:21:40.581Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-23T16:45:19.536Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-25-099",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-099/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/commit/6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2025-1520",
        "datePublished": "2025-04-23T16:45:19.536Z",
        "dateReserved": "2025-02-20T20:51:11.373Z",
        "dateUpdated": "2025-04-23T18:13:52.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9710 (GCVE-0-2024-9710)

    Vulnerability from nvd – Published: 2024-11-22 20:24 – Updated: 2024-11-26 15:13
    VLAI
    Title
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability
    Summary
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25351.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e
    Create a notification for this product.
    Date Public
    2024-10-15 15:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9710",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-26T15:12:11.939263Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-26T15:13:20.408Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e"
                }
              ]
            }
          ],
          "dateAssigned": "2024-10-09T19:36:43.386Z",
          "datePublic": "2024-10-15T15:37:33.453Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25351."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-22T20:24:41.179Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-1383",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1383/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/pull/25388"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2024-9710",
        "datePublished": "2024-11-22T20:24:41.179Z",
        "dateReserved": "2024-10-09T19:36:43.343Z",
        "dateUpdated": "2024-11-26T15:13:20.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-46746 (GCVE-0-2023-46746)

    Vulnerability from nvd – Published: 2023-12-01 21:53 – Updated: 2024-08-02 20:53
    VLAI
    Title
    Authenticated PostHog users vulnerable to SSRF
    Summary
    PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    PostHog posthog Affected: <=1.43.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:53:20.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"
              },
              {
                "name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"
              },
              {
                "name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "posthog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=1.43.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-11T18:25:11.493Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"
            },
            {
              "name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"
            },
            {
              "name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"
            }
          ],
          "source": {
            "advisory": "GHSA-wqqw-r8c5-j67c",
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated PostHog users vulnerable to SSRF"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-46746",
        "datePublished": "2023-12-01T21:53:19.584Z",
        "dateReserved": "2023-10-25T14:30:33.753Z",
        "dateUpdated": "2024-08-02T20:53:20.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32325 (GCVE-0-2023-32325)

    Vulnerability from nvd – Published: 2023-05-26 23:00 – Updated: 2025-01-14 18:40
    VLAI
    Title
    Cross-site scripting in PostHog-js
    Summary
    PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    PostHog posthog-js Affected: < 1.57.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:10:24.912Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v"
              },
              {
                "name": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-14T18:40:27.923682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-14T18:40:43.462Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "posthog-js",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.57.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-26T23:00:17.880Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v"
            },
            {
              "name": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0"
            }
          ],
          "source": {
            "advisory": "GHSA-8775-5hwv-wr6v",
            "discovery": "UNKNOWN"
          },
          "title": "Cross-site scripting in PostHog-js"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32325",
        "datePublished": "2023-05-26T23:00:17.880Z",
        "dateReserved": "2023-05-08T13:26:03.880Z",
        "dateUpdated": "2025-01-14T18:40:43.462Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0645 (GCVE-0-2022-0645)

    Vulnerability from nvd – Published: 2022-04-19 11:20 – Updated: 2024-08-02 23:32
    VLAI
    Title
    Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in posthog/posthog
    Summary
    Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.
    CWE
    • CWE-601 - URL Redirection to Untrusted Site
    Assigner
    References
    Impacted products
    Vendor Product Version
    posthog posthog/posthog Affected: unspecified , < 1.34.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:32:46.538Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "posthog/posthog",
              "vendor": "posthog",
              "versions": [
                {
                  "lessThan": "1.34.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-19T11:25:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038"
            }
          ],
          "source": {
            "advisory": "c13258a2-30e3-4261-9a3b-2f39c49a8bd6",
            "discovery": "EXTERNAL"
          },
          "title": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect=  in posthog/posthog",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0645",
              "STATE": "PUBLIC",
              "TITLE": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect=  in posthog/posthog"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "posthog/posthog",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.34.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "posthog"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601 URL Redirection to Untrusted Site"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6"
                },
                {
                  "name": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038",
                  "refsource": "MISC",
                  "url": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038"
                }
              ]
            },
            "source": {
              "advisory": "c13258a2-30e3-4261-9a3b-2f39c49a8bd6",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0645",
        "datePublished": "2022-04-19T11:20:10.000Z",
        "dateReserved": "2022-02-16T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:32:46.538Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1522 (GCVE-0-2025-1522)

    Vulnerability from cvelistv5 – Published: 2025-04-23 16:45 – Updated: 2025-04-23 18:30
    VLAI
    Title
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability
    Summary
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-25358.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e
    Create a notification for this product.
    Date Public
    2025-02-25 13:22
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1522",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T18:30:22.547093Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:30:31.914Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e"
                }
              ]
            }
          ],
          "dateAssigned": "2025-02-20T20:51:29.162Z",
          "datePublic": "2025-02-25T13:22:27.928Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-25358."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-23T16:45:44.643Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-25-097",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-097/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/commit/3732c0fd9551ed29521b58611bf1e44d918c1032"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2025-1522",
        "datePublished": "2025-04-23T16:45:44.643Z",
        "dateReserved": "2025-02-20T20:51:29.139Z",
        "dateUpdated": "2025-04-23T18:30:31.914Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1521 (GCVE-0-2025-1521)

    Vulnerability from cvelistv5 – Published: 2025-04-23 16:45 – Updated: 2025-04-23 18:10
    VLAI
    Title
    PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability
    Summary
    PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of the slack_incoming_webhook parameter. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25352.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e
    Create a notification for this product.
    Date Public
    2025-02-25 13:22
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1521",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T18:10:16.442509Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:10:39.906Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e"
                }
              ]
            }
          ],
          "dateAssigned": "2025-02-20T20:51:21.085Z",
          "datePublic": "2025-02-25T13:22:10.064Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the processing of the slack_incoming_webhook parameter. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25352."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-23T16:45:32.855Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-25-096",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-096/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/commit/6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog slack_incoming_webhook Server-Side Request Forgery Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2025-1521",
        "datePublished": "2025-04-23T16:45:32.855Z",
        "dateReserved": "2025-02-20T20:51:21.063Z",
        "dateUpdated": "2025-04-23T18:10:39.906Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1520 (GCVE-0-2025-1520)

    Vulnerability from cvelistv5 – Published: 2025-04-23 16:45 – Updated: 2025-04-23 18:13
    VLAI
    Title
    PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability
    Summary
    PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e, clickhouse 23.12.6.19-alpine
    Create a notification for this product.
    Date Public
    2025-02-25 23:21
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1520",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T18:13:15.488980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:13:52.561Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e, clickhouse 23.12.6.19-alpine"
                }
              ]
            }
          ],
          "dateAssigned": "2025-02-20T20:51:11.411Z",
          "datePublic": "2025-02-25T23:21:40.581Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the SQL parser. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of the database account. Was ZDI-CAN-25350."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-04-23T16:45:19.536Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-25-099",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-099/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/commit/6e8f035f9acd339c5ba87ba6ea40fc1ab3053d42"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2025-1520",
        "datePublished": "2025-04-23T16:45:19.536Z",
        "dateReserved": "2025-02-20T20:51:11.373Z",
        "dateUpdated": "2025-04-23T18:13:52.561Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-9710 (GCVE-0-2024-9710)

    Vulnerability from cvelistv5 – Published: 2024-11-22 20:24 – Updated: 2024-11-26 15:13
    VLAI
    Title
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability
    Summary
    PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25351.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    PostHog PostHog Affected: b8817c14065c23159dcf52849f0bdcd12516c43e
    Create a notification for this product.
    Date Public
    2024-10-15 15:37
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-9710",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-26T15:12:11.939263Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-26T15:13:20.408Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "PostHog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "b8817c14065c23159dcf52849f0bdcd12516c43e"
                }
              ]
            }
          ],
          "dateAssigned": "2024-10-09T19:36:43.386Z",
          "datePublic": "2024-10-15T15:37:33.453Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PostHog. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the database_schema method. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-25351."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-22T20:24:41.179Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "ZDI-24-1383",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1383/"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/PostHog/posthog/pull/25388"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Mehmet INCE (@mdisec) from PRODAFT.com"
          },
          "title": "PostHog database_schema Server-Side Request Forgery Information Disclosure Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2024-9710",
        "datePublished": "2024-11-22T20:24:41.179Z",
        "dateReserved": "2024-10-09T19:36:43.343Z",
        "dateUpdated": "2024-11-26T15:13:20.408Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-46746 (GCVE-0-2023-46746)

    Vulnerability from cvelistv5 – Published: 2023-12-01 21:53 – Updated: 2024-08-02 20:53
    VLAI
    Title
    Authenticated PostHog users vulnerable to SSRF
    Summary
    PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    PostHog posthog Affected: <=1.43.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:53:20.967Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"
              },
              {
                "name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"
              },
              {
                "name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "posthog",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c=1.43.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "LOW",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-12-11T18:25:11.493Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"
            },
            {
              "name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"
            },
            {
              "name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"
            }
          ],
          "source": {
            "advisory": "GHSA-wqqw-r8c5-j67c",
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated PostHog users vulnerable to SSRF"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-46746",
        "datePublished": "2023-12-01T21:53:19.584Z",
        "dateReserved": "2023-10-25T14:30:33.753Z",
        "dateUpdated": "2024-08-02T20:53:20.967Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32325 (GCVE-0-2023-32325)

    Vulnerability from cvelistv5 – Published: 2023-05-26 23:00 – Updated: 2025-01-14 18:40
    VLAI
    Title
    Cross-site scripting in PostHog-js
    Summary
    PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    PostHog posthog-js Affected: < 1.57.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:10:24.912Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v"
              },
              {
                "name": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-32325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-14T18:40:27.923682Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-14T18:40:43.462Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "posthog-js",
              "vendor": "PostHog",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.57.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-26T23:00:17.880Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v"
            },
            {
              "name": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0"
            }
          ],
          "source": {
            "advisory": "GHSA-8775-5hwv-wr6v",
            "discovery": "UNKNOWN"
          },
          "title": "Cross-site scripting in PostHog-js"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32325",
        "datePublished": "2023-05-26T23:00:17.880Z",
        "dateReserved": "2023-05-08T13:26:03.880Z",
        "dateUpdated": "2025-01-14T18:40:43.462Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-0645 (GCVE-0-2022-0645)

    Vulnerability from cvelistv5 – Published: 2022-04-19 11:20 – Updated: 2024-08-02 23:32
    VLAI
    Title
    Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in posthog/posthog
    Summary
    Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1.
    CWE
    • CWE-601 - URL Redirection to Untrusted Site
    Assigner
    References
    Impacted products
    Vendor Product Version
    posthog posthog/posthog Affected: unspecified , < 1.34.1 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:32:46.538Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "posthog/posthog",
              "vendor": "posthog",
              "versions": [
                {
                  "lessThan": "1.34.1",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-04-19T11:25:09.000Z",
            "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
            "shortName": "@huntrdev"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038"
            }
          ],
          "source": {
            "advisory": "c13258a2-30e3-4261-9a3b-2f39c49a8bd6",
            "discovery": "EXTERNAL"
          },
          "title": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect=  in posthog/posthog",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@huntr.dev",
              "ID": "CVE-2022-0645",
              "STATE": "PUBLIC",
              "TITLE": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect=  in posthog/posthog"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "posthog/posthog",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_value": "1.34.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "posthog"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in GitHub repository posthog/posthog prior to 1.34.1."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-601 URL Redirection to Untrusted Site"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6",
                  "refsource": "CONFIRM",
                  "url": "https://huntr.dev/bounties/c13258a2-30e3-4261-9a3b-2f39c49a8bd6"
                },
                {
                  "name": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038",
                  "refsource": "MISC",
                  "url": "https://github.com/posthog/posthog/commit/859d8ed9ac7c5026db09714a26c85c1458abb038"
                }
              ]
            },
            "source": {
              "advisory": "c13258a2-30e3-4261-9a3b-2f39c49a8bd6",
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "assignerShortName": "@huntrdev",
        "cveId": "CVE-2022-0645",
        "datePublished": "2022-04-19T11:20:10.000Z",
        "dateReserved": "2022-02-16T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:32:46.538Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }