Datadog is a Cloud-Scale Monitoring service for dynamic cloud infrastructure.

I have found two stored Cross-Site Scripting bugs in datadoghq.com. Below are the details.

Bug I: Unescaped “IFrame object” on Dashboard (https://app.datadoghq.com/dash/list).

It was possible to create a dashboard and add an IFrame object with URL containing malicious payload like javascript:alert(‘https://lubi.cz’).

Bug II: “Save this search” (https://app.datadoghq.com/event/stream)

Type your payload (</script><img src=x onerror=alert(‘https://lubi.cz’)>) in  “Search Events…” box, click “Save this search” and execute it by visiting https://app.datadoghq.com/event/stream in new browser tab.