Datadog is a Cloud-Scale Monitoring service for dynamic cloud infrastructure.
I have found two stored Cross-Site Scripting bugs in datadoghq.com. Below are the details.
Bug I: Unescaped “IFrame object” on Dashboard (https://app.datadoghq.com/dash/list).
It was possible to create a dashboard and add an IFrame object with URL containing malicious payload like javascript:alert(‘https://lubi.cz’).
Bug II: “Save this search” (https://app.datadoghq.com/event/stream)
Type your payload (</script><img src=x onerror=alert(‘https://lubi.cz’)>) in “Search Events…” box, click “Save this search” and execute it by visiting https://app.datadoghq.com/event/stream in new browser tab.