Stored Cross-Site Scripting bugs in

Datadog is a Cloud-Scale Monitoring service for dynamic cloud infrastructure.

I have found two stored Cross-Site Scripting bugs in Below are the details.

Bug I: Unescaped “IFrame object” on Dashboard (

It was possible to create a dashboard and add an IFrame object with URL containing malicious payload like javascript:alert(‘’).

Bug II:Save this search” (

Type your payload (</script><img src=x onerror=alert(‘’)>) in  “Search Events…” box, click “Save this search” and execute it by visiting in new browser tab.

Leave a Reply

Your email address will not be published. Required fields are marked *