Skip to content

SSRF vulnerability for logged in users

Low
timgl published GHSA-wqqw-r8c5-j67c Nov 28, 2023

Package

No package listed

Affected versions

<=1.43.1

Patched versions

From commit 22bd5942638d5d9bc4bd603a9bfe8f8a95572292

Description

Impact

A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. We did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request.

Patches

Users can upgrade to the latest available Docker image

Severity

Low

CVE ID

CVE-2023-46746

Weaknesses