{"id":"CVE-2023-32325","summary":"Cross-site scripting in PostHog-js","details":"PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.","aliases":["GHSA-8775-5hwv-wr6v"],"modified":"2026-04-10T04:59:18.391123Z","published":"2023-05-26T23:00:17.880Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32325.json","cwe_ids":["CWE-79"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32325.json"},{"type":"ADVISORY","url":"https://github.com/PostHog/posthog-js/security/advisories/GHSA-8775-5hwv-wr6v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32325"},{"type":"FIX","url":"https://github.com/PostHog/posthog-js/commit/67e07eb8bb271a3a6f4aa251382e4d25abb385a0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/PostHog/posthog-js","events":[{"introduced":"0"},{"fixed":"9f75a06d5a1575b39d96c257f9e4b90cd2b5ad7d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.57.2"}]}},{"type":"GIT","repo":"https://github.com/posthog/posthog-js","events":[{"introduced":"0"},{"fixed":"67e07eb8bb271a3a6f4aa251382e4d25abb385a0"}]}],"versions":["1.0.5","1.0.6","v1.1.0","v1.1.1","v1.1.2","v1.10.1","v1.10.2","v1.11.0","v1.11.1","v1.11.2","v1.11.3","v1.11.4","v1.12.0","v1.12.1","v1.12.2","v1.12.3","v1.12.4","v1.12.5","v1.12.6","v1.12.7","v1.13.0","v1.13.1","v1.13.10","v1.13.11","v1.13.12","v1.13.13","v1.13.14","v1.13.15","v1.13.16","v1.13.17","v1.13.2","v1.13.3","v1.13.4","v1.13.5","v1.13.6","v1.13.7","v1.13.8","v1.13.9","v1.14.0","v1.14.1","v1.14.2","v1.14.3","v1.14.4","v1.14.5","v1.15.0","v1.15.1","v1.15.2","v1.15.3","v1.15.4","v1.16.0","v1.16.1","v1.16.2","v1.16.3","v1.16.4","v1.16.5","v1.16.6","v1.16.7","v1.16.8","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.17.4","v1.17.5","v1.17.6","v1.17.7","v1.17.8","v1.17.9","v1.18.0","v1.19.0","v1.19.1","v1.19.2","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.20.0","v1.20.1","v1.20.2","v1.20.3","v1.20.4","v1.20.5","v1.21.0","v1.21.1","v1.22.0","v1.23.0","v1.24.0","v1.25.0","v1.25.1","v1.25.2","v1.26.0","v1.26.1","v1.26.2","v1.27.0","v1.28.0","v1.29.0","v1.29.1","v1.29.2","v1.29.3","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.30.0","v1.31.0","v1.31.1","v1.32.0","v1.32.1","v1.32.2","v1.32.3","v1.32.4","v1.33.0","v1.34.0","v1.34.1","v1.35.0","v1.36.0","v1.36.1","v1.37.0","v1.38.0","v1.38.1","v1.39.0","v1.39.1","v1.39.2","v1.39.3","v1.39.4","v1.39.5","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.40.0","v1.40.1","v1.40.2","v1.41.0","v1.42.0","v1.42.1","v1.42.2","v1.42.3","v1.43.0","v1.43.1","v1.44.0","v1.45.0","v1.45.1","v1.46.0","v1.46.1","v1.46.2","v1.47.0","v1.48.0","v1.48.1","v1.48.2","v1.49.0","v1.5.0-beta.0","v1.5.2","v1.50.0","v1.50.1","v1.50.2","v1.50.3","v1.50.4","v1.50.5","v1.50.6","v1.50.7","v1.50.8","v1.50.9","v1.51.0","v1.51.1","v1.51.2","v1.51.3","v1.51.4","v1.51.5","v1.52.0","v1.53.0","v1.53.1","v1.53.2","v1.53.3","v1.53.4","v1.54.0","v1.55.0","v1.55.1","v1.55.2","v1.56.0","v1.57.0","v1.57.1","v1.6.0","v1.7.0","v1.7.0-alpha.0","v1.7.0-alpha.1","v1.7.0-beta.1","v1.7.1","v1.7.2","v1.7.3-beta.1","v1.7.3-beta.10","v1.7.3-beta.11","v1.7.3-beta.2","v1.7.3-beta.3","v1.7.3-beta.4","v1.7.3-beta.5","v1.7.3-beta.6","v1.7.3-beta.7","v1.7.3-beta.8","v1.7.3-beta.9","v1.8.0","v1.8.0-beta.1","v1.8.1","v1.8.10","v1.8.4","v1.8.5","v1.8.7","v1.8.8","v1.8.9","v1.9.0","v1.9.1","v1.9.2","v1.9.3","v1.9.4","v1.9.5","v1.9.6","v1.9.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32325.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}