Stored Cross-Site Scripting bugs in datadoghq.com

Datadog is a Cloud-Scale Monitoring service for dynamic cloud infrastructure.

I have found two stored Cross-Site Scripting bugs in datadoghq.com. Below are the details.

Bug I: Unescaped „IFrame object” on Dashboard (https://app.datadoghq.com/dash/list).

It was possible to create a dashboard and add an IFrame object with URL containing malicious payload like javascript:alert(‚https://lubi.cz’).

Bug II:Save this search” (https://app.datadoghq.com/event/stream)

Type your payload (</script><img src=x onerror=alert(‚https://lubi.cz’)>) in  „Search Events…” box, click „Save this search” and execute it by visiting https://app.datadoghq.com/event/stream in new browser tab.

Dodaj komentarz

Twój adres email nie zostanie opublikowany. Pola, których wypełnienie jest wymagane, są oznaczone symbolem *