| Reflected XSS in VPN Appliance |
Cross-site Scripting (XSS) - Reflected |
mr-hakhak |
Medium |
2021-11-10 |
| Account takeover by using abandoned email id of victim which has already been changed to new by victim himself on one.newrelic.com |
Improper Authentication - Generic |
ashmek |
Low |
2021-07-02 |
| Untrusted deserialization issue when loading newrelic.yml file in Java agent leads to code execution on host |
Deserialization of Untrusted Data |
j0v |
Low |
2021-06-28 |
| Account Takeover via Email ID Change and Forgot Password Functionality |
Improper Authentication - Generic |
dsdh |
High |
2021-06-28 |
| removed user can still join the organization |
Business Logic Errors |
moon_shadow |
Low |
2021-05-10 |
| Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2021-04-20 |
| "Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner. |
Improper Access Control - Generic |
jhimansh |
None |
2020-09-22 |
| [NR Synthetics] Restricted User can add/modify alert conditions on monitors without any synthetics privileges |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user |
Information Disclosure |
jon_bottarini |
Medium |
2020-09-04 |
| Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2020-09-04 |
| [NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| Upgrade menu exposes the mobile application token meant to only be visible to administrators |
Privilege Escalation |
jon_bottarini |
Low |
2020-09-04 |
| Permissions leaks the full name of other NR accounts - Regression of #267636 |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| Full name of other accounts exposed through NR API Explorer (another workaround of #476958) |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Alerts/Synthetics?] User with no Synthetics permissions can view synthetic monitor details through /internal_api/ endpoint |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| Logic flaw enables restricted account to access account license key |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| IDOR via internal_api "users" endpoint |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Infrastructure] Restricted user can update integration provider account name via integrations API |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2020-09-04 |
| [NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894 |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| [Synthetics/Infrastructure/everything] Individual account permissions are not properly managed and inherited on sub accounts |
Business Logic Errors |
jon_bottarini |
Medium |
2020-09-04 |
| User is able to access and create private synthetics locations without upgrading (regression of #276157) |
Client-Side Enforcement of Server-Side Security |
jon_bottarini |
Low |
2020-09-04 |
| Restricted user can bypass permissions restriction to create NR Alert policies |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID} |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-26 |
| Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-08-26 |
| [New Relic Infrastructure] Restricted User can still integrate with AWS via forced browsing (plus, a few other bugs) |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-26 |
| Internal API endpoint discloses full account name of email address associated with unconfirmed user |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-08-26 |
| Stored XSS via "my recent queries" selector in NRQL dashboard builder |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2020-08-24 |
| NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-24 |
| Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-24 |
| (Prerelease UI) Stored XSS via role name in JSON chart |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2020-08-24 |
| Passive stored XSS at Synthetics job result page (View resource) |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| CSRF at adding new role (user-management.service.newrelic.com) |
Cross-Site Request Forgery (CSRF) |
skavans |
Medium |
2020-08-13 |
| User can run monitors at private locations, which he has no access to |
Insecure Direct Object Reference (IDOR) |
skavans |
High |
2020-08-13 |
| Stored XSS at APM apps labels autocomplete dropdown (apps listing) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Disclosure of locally served nerdpacks due to nr-local.net CORS policy misconfiguration |
Information Disclosure |
skavans |
Low |
2020-08-13 |
| Cross-account reading of Insights dashboards through GraphQL |
Insecure Direct Object Reference (IDOR) |
skavans |
Medium |
2020-08-13 |
| Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Attacker can create new account inside any partnership with no approve from the Partnership owner |
Insecure Direct Object Reference (IDOR) |
skavans |
Medium |
2020-08-13 |
| Secure credentials values disclosure to regular users due to access control issue in monitor creating function |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Stored XSS firing at transaction map (applicationName field) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS firing at the "Add chart to note" popup |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Cross-account stored XSS at notes (through "swf" note parameter) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS at APM applications listing |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| One Click Remote Code Injection - *.blog.newrelic.com |
Code Injection |
arsene_lupin |
Medium |
2020-08-13 |
| Site-wide clickjacking at IE11 |
UI Redressing (Clickjacking) |
skavans |
Low |
2020-08-13 |
| Restricted user can manage the NerdGraph entities' tags |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Restricted user can update Apdex target for applications by leveraging the GraphQL mutation |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Stored XSS at APM key transactions list |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS at Synthetics private locations (planted through location label or description) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS at Mobile (Versions tab) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| CSTI fix (#587829) bypass leading to stored XSS at plugins again |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS Via NRQL chartbuilder JSON view |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2020-08-13 |
| Stored XSS firing if the error occurs when trying to delete the APM app |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| CSRF at acknowledging an incident |
Cross-Site Request Forgery (CSRF) |
skavans |
Medium |
2020-08-13 |
| Restricted user can add and delete tags of APM key transactions |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-13 |
| Stored XSS at APM transaction map (transactionName field) |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| IDOR allows accounts to view full name of other accounts based on email through share notes feature |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-13 |
| Ability to buy PRO subscriptions by arbitrary reduced prices |
Business Logic Errors |
skavans |
Low |
2020-08-13 |
| Cross-account stored XSS at embedded charts |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS in notes (charts) because of insecure chart data JSON generation |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| NR-wide cross account access through misconfigured CORS-policy of multiple endpoints |
Improper Access Control - Generic |
skavans |
High |
2020-08-13 |
| Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values) |
Insecure Direct Object Reference (IDOR) |
skavans |
High |
2020-08-13 |
| CSTI at Plugin page leading to active stored XSS (Publisher name) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Urgent! Stored XSS at plugin's violations leading to account takeover |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Bypass of #447975 - view mobile application token though "Application Information" sidebar on Installation page |
Privilege Escalation |
jon_bottarini |
Low |
2020-08-13 |
| [synthetics.newrelic.com] SMTP header injection leads to (mass) arbitrary email sending |
CRLF Injection |
ldionmarcil |
Medium |
2020-07-15 |
| Host Header Injection |
Open Redirect |
masterhackor |
Low |
2020-01-27 |
| Password theft login.newrelic.com via Request Smuggling |
HTTP Request Smuggling |
albinowax |
High |
2019-08-30 |
| Password theft login.newrelic.com via Request Smuggling |
HTTP Request Smuggling |
albinowax |
High |
2019-08-30 |
| Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account |
Client-Side Enforcement of Server-Side Security |
jon_bottarini |
Low |
2019-06-17 |
| Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account |
Client-Side Enforcement of Server-Side Security |
jon_bottarini |
Low |
2019-06-17 |
| WordPress username enumeration (/author) |
Information Disclosure |
rootbakar |
Medium |
2018-10-19 |
| [NR Insights] Pull any Insights/NRQL data from any NR account |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2018-10-15 |
| DNS misconfiguration on email.alerts.newrelic.com |
Business Logic Errors |
hackerone77-222 |
Medium |
2018-09-17 |
| Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation |
Privilege Escalation |
fbogner |
High |
2018-08-29 |
| User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions |
Privilege Escalation |
michiel |
Medium |
2018-08-17 |
| stamp2-azure-ext.newrelic.com is vulnerable to MS12-020 |
Remote File Inclusion |
scrszy |
Critical |
2018-07-25 |
| Missing security best practices (leads to further impact) |
Violation of Secure Design Principles |
badcracker |
Medium |
2018-07-25 |
| Stored XSS in Brower `name` field reflected in two pages |
Cross-site Scripting (XSS) - Stored |
ldionmarcil |
High |
2018-07-20 |
| Captcha Bypass on SignUp Form |
Privacy Violation |
apapedulimu |
Low |
2018-05-10 |
| [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key |
Privilege Escalation |
jon_bottarini |
Medium |
2018-05-02 |
| Manipulation of submit payment request allows me to obtain Infrastructure Pro/Other Services for free or at greatly reduced price |
Business Logic Errors |
jon_bottarini |
Medium |
2018-05-02 |
| Newrelic s3 bucket is writeable and deleteable by authorized AWS users |
Improper Authentication - Generic |
kunal_bahl |
No rating |
2018-05-02 |
| Broken Authentication and session management OWASP A2 |
Improper Authentication - Generic |
ho_nc |
No rating |
2018-05-02 |
| Hyperlink Injection on adding active users |
Open Redirect |
japz |
Medium |
2018-05-02 |
| XSS (Reflected) |
Cross-site Scripting (XSS) - Generic |
mr_sharma_ |
None |
2018-05-02 |
| NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure) |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2018-05-02 |
| Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2018-05-01 |
| Drupal admin takeover via install.php not being performed prior to install. |
Privilege Escalation |
grampae |
High |
2018-04-23 |
| Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2017-12-07 |
| Unvalidated redirect in alerts.newrelic.com/auth/newrelic?origin= |
Open Redirect |
everardo |
No rating |
2017-11-10 |
| SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability |
Cryptographic Issues - Generic |
guifre |
Low |
2017-11-10 |
| Sub domain issues. |
None supplied |
itsaj3 |
No rating |
2017-11-10 |
| Stored XSS on BillingCountry parameter |
Cross-site Scripting (XSS) - Generic |
tsug0d |
High |
2017-11-10 |
| A user with restricted privileges is able to view Phone Number + Billing Email of account owner |
Improper Authentication - Generic |
jon_bottarini |
Low |
2017-10-16 |
| Open redirection |
Open Redirect |
seifelsallamy |
Low |
2017-10-14 |
| Cross site scripting in a subdomain of newrelic.com |
Cross-site Scripting (XSS) - Generic |
asaxena2190 |
Medium |
2017-10-12 |
| Privilege Escalation in Default Notification Preferences |
Privilege Escalation |
r0x33d |
No rating |
2017-10-12 |
| Privilege Escalation in Share Report |
Privilege Escalation |
r0x33d |
No rating |
2017-10-12 |
| [docs-ra.newrelic.com] subdomain and Drupal takeover via unconfigured endpoint |
Privilege Escalation |
ysx |
Medium |
2017-10-12 |
| Restricted User is able to edit Alert Conditions of Synthetics Monitors even if Synthetics Permissions is enabled by an admin |
Improper Authentication - Generic |
jon_bottarini |
Low |
2017-10-12 |
| CSRF For Adding Users |
None supplied |
atestpk |
Medium |
2017-10-12 |
| newrelic.atlassian.net - jira information disclosure |
Improper Authentication - Generic |
fng |
Low |
2017-10-12 |
| /accounts/USERID.json file is left open for Restricted User of organization disclosing Owners's Mobile Number and "billing_info, cc_email" |
Information Disclosure |
sahilmk |
No rating |
2017-10-12 |
| Insecure transition from HTTP to HTTPS in form post |
Information Disclosure |
d0rkerdevil |
No rating |
2017-10-12 |
| Directory listing - i am able to download all php_agent archive |
Information Disclosure |
cj862530 |
No rating |
2017-10-12 |
| Sensitive information disclosure |
Information Disclosure |
kothari |
No rating |
2017-10-12 |
| Moniter Failed Sends too many emails |
None supplied |
lulliii |
No rating |
2017-10-12 |
| Internal Ports Scanning via Blind SSRF |
Information Disclosure |
tungpun |
No rating |
2017-10-11 |
| SSRF in alerts.newrelic.com exposes entire internal network |
Server-Side Request Forgery (SSRF) |
albinowax |
Critical |
2017-08-22 |
| Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc. |
Improper Authentication - Generic |
jon_bottarini |
Low |
2017-04-27 |
| Open Redirect |
Open Redirect |
intricate |
No rating |
2017-03-20 |
| Session Hijacking |
Improper Authentication - Generic |
xia_ulhusnain |
No rating |
2017-03-20 |
| Cache purge requests are not authenticated |
None supplied |
nuc |
No rating |
2017-03-20 |
| XSS in a newrelic.com site |
Cross-site Scripting (XSS) - Generic |
sinkmanu |
No rating |
2017-03-20 |
| JIRA account misconfig causes internal info leak |
Information Disclosure |
kamil_hism |
No rating |
2017-03-20 |
| CSRF- delete all empty server policy |
Cross-Site Request Forgery (CSRF) |
amit29sept |
No rating |
2017-03-20 |
| CSRF - Delete all empty application policy |
Cross-Site Request Forgery (CSRF) |
amit29sept |
No rating |
2017-03-20 |
| https://rpm.newrelic.com/login vulnerable to host header attack |
Open Redirect |
geeknik |
No rating |
2017-03-20 |
| No Rate Limitation on Promo Code |
Memory Corruption - Generic |
daniyal_nasir |
No rating |
2017-03-20 |
| Reflected XSS on Signup Page |
Cross-site Scripting (XSS) - Generic |
itly |
No rating |
2017-03-20 |
| Unauthorized Access |
Improper Authentication - Generic |
apt |
No rating |
2017-03-20 |
| A Signup page does not properly validate the authenticity token at the server side. |
Cross-Site Request Forgery (CSRF) |
waqar_vicky |
No rating |
2017-03-20 |
| A Log in page does not properly validate the authenticity token at the server side |
Cross-Site Request Forgery (CSRF) |
waqar_vicky |
No rating |
2017-03-20 |
| Html injection in monitor name textbox |
Open Redirect |
zuh4n |
No rating |
2017-02-22 |
| [alerts.newrelic.com] Scanning local network via notification channel |
Privilege Escalation |
s_p_q_r |
No rating |
2017-02-21 |
| [download.newrelic.com] Access to private directories |
Privilege Escalation |
s_p_q_r |
No rating |
2017-02-21 |
| Mobile Authentication Endpoint Credentials Brute-Force Vulnerability |
Improper Authentication - Generic |
arneswinnen |
No rating |
2017-02-19 |
| Privilege Escalation In Moniter |
Privilege Escalation |
czd |
No rating |
2017-02-19 |
| Improper Session Management |
None supplied |
czd |
No rating |
2017-02-19 |
| open redirection at login |
Open Redirect |
seifelsallamy |
No rating |
2017-02-18 |
| Open redirection bypass . |
Open Redirect |
rohan_x3 |
No rating |
2017-02-18 |
| Potential sub-domain hijacking |
None supplied |
danielhartnell |
Low |
2017-02-18 |
| SSO Authentication Bypass |
Improper Authentication - Generic |
danielhartnell |
No rating |
2017-02-18 |
| Leaking license key in source code |
Information Disclosure |
pradeepch99 |
No rating |
2017-02-18 |
| Cache-Control Misconfiguration Leads to Sensitive Information Leakage |
Information Disclosure |
geekboy |
No rating |
2017-02-18 |
| APT repository is signed using weak digest (SHA-1) |
Cryptographic Issues - Generic |
reed |
Low |
2017-02-18 |
| CSRF vulnerability that allows an attacker to purge plugin metric data |
Cross-Site Request Forgery (CSRF) |
martijn |
No rating |
2016-12-05 |
| Stored Xss in rpm.newrelic.com |
Cross-site Scripting (XSS) - Generic |
hackerwahab |
No rating |
2016-11-14 |
| Emails and alert policies can be altered by malicious users. |
Improper Authentication - Generic |
hogarth45 |
No rating |
2016-11-04 |
| Host Header Injection / Cache Poisoning |
None supplied |
pavanw3b |
No rating |
2016-11-04 |
| Cookie Misconfiguration |
Improper Authentication - Generic |
cjlegacion |
No rating |
2016-11-04 |
| Open redirection |
Open Redirect |
seifelsallamy |
No rating |
2016-11-03 |
| Session Management Flaw |
Improper Authentication - Generic |
babayaga_ |
No rating |
2016-10-08 |
| HOST HEADER INJECTION in rpm.newrelic.com |
Open Redirect |
noob-boy |
No rating |
2016-10-08 |
| Password disclosure during signup process |
Information Disclosure |
foundstone-kunal |
No rating |
2016-09-26 |
| Sensitive information contained with New Relic APM iOS application |
Information Disclosure |
todayisnew |
No rating |
2016-09-26 |
| Unsafe HTML in reset password email and Account verification in email is missing in Sign up |
Open Redirect |
karthic |
No rating |
2016-09-26 |
| newrelic.com rails directory traversal vuln |
Code Injection |
droidsec |
No rating |
2016-09-26 |
| Login Open Redirect |
Open Redirect |
pewpew |
No rating |
2016-09-19 |
| Basic Authorization over HTTP |
Improper Authentication - Generic |
hassham |
No rating |
2016-09-07 |
| SSRF on synthetics.newrelic.com permitting access to sensitive data |
Information Disclosure |
ylujion |
No rating |
2016-09-05 |
| Blind SSRF on synthetics.newrelic.com |
Information Disclosure |
ylujion |
No rating |
2016-09-05 |
| Java RMI (Remote Code Execution) |
Code Injection |
leba |
No rating |
2016-09-02 |
| User enumeration possible from log-in timing difference |
None supplied |
cisplatin |
No rating |
2016-08-27 |
| CSV Injection in sub_accounts.csv |
Command Injection - Generic |
cisplatin |
No rating |
2016-08-27 |
| CSRF - Regenerate all admin api keys |
Cross-Site Request Forgery (CSRF) |
scorppy |
No rating |
2016-08-27 |
| Server Side Browsing - localhost open port enumeration |
Information Disclosure |
aiacobelli |
No rating |
2016-08-27 |
| No validation on account names |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-08-27 |
| Missing rate limit on password |
Improper Authentication - Generic |
malcolmx |
No rating |
2016-08-27 |
| http://newrelic.com SSRF/XSPA |
None supplied |
grampae |
No rating |
2016-08-27 |
| Login CSRF vulnerability |
Cross-Site Request Forgery (CSRF) |
jackcyril |
No rating |
2016-08-13 |
| All Active user sessions should be destroyed when user change his password! |
Improper Authentication - Generic |
rahul_ch |
No rating |
2016-08-13 |
| Vulnerable Link Leaks the User Names |
Improper Authentication - Generic |
daniyal_nasir |
No rating |
2016-08-06 |
| All the active session should destroy when user change his password |
Improper Authentication - Generic |
smil3 |
No rating |
2016-08-06 |
| no email confirmation on signup |
None supplied |
rahul_ch |
No rating |
2016-08-06 |
| newrelic.com vulnerable to clickjacking ! |
None supplied |
rahul_ch |
No rating |
2016-08-06 |
| No CSRF validation on Account Monitors in Synthetics Block |
Cross-Site Request Forgery (CSRF) |
daniyal_nasir |
No rating |
2016-07-13 |
| Normal user can set "Job title" of other users by Direct Object Reference |
Privilege Escalation |
sarwarjahan |
No rating |
2016-07-13 |
| Potential Subdomain Takeover - http://storefront.newrelic.com/ |
Privilege Escalation |
charliehacks |
No rating |
2016-06-20 |
| Html injection in monitor name textbox |
Open Redirect |
karthic |
No rating |
2016-06-20 |
| Open redirection bypass |
Open Redirect |
shailesh4594 |
No rating |
2016-06-13 |
| rpm.newrelic.com - monitor creation to other accounts |
None supplied |
vikinghoarder |
No rating |
2016-06-13 |
| Session takeover |
None supplied |
thalaivar__subu |
No rating |
2016-06-07 |
| [login.newrelic.com] XSS via return_to |
Cross-site Scripting (XSS) - Generic |
s_p_q_r |
No rating |
2016-05-23 |
| Stored XSS through Angular Expression Sandbox Escape |
Cross-site Scripting (XSS) - Generic |
ryhanson |
No rating |
2016-05-22 |
| SUBDOMAIN TAKEOVER(FIXED) |
Violation of Secure Design Principles |
kiraak-boy |
No rating |
2016-05-21 |
| Open redirection on login |
Open Redirect |
shailesh4594 |
No rating |
2016-05-21 |
| https://rpm.newrelic.com/.htaccess file is world readable |
Information Disclosure |
geeknik |
No rating |
2016-05-21 |
| Clickjacking on authenticated pages which is inscope for New Relic |
Improper Authentication - Generic |
trabajoduro_2 |
No rating |
2016-05-21 |
| New Relic - Session Hijacking |
None supplied |
ahsan |
No rating |
2016-05-13 |
| Stored Cross-Site Scripting via Angular Template Injection |
Cross-site Scripting (XSS) - Generic |
fitzpr |
No rating |
2016-05-09 |
| Too many included lookups |
Memory Corruption - Generic |
trabajoduro_2 |
No rating |
2016-05-03 |
| Synthetics Xss |
Command Injection - Generic |
mg94 |
No rating |
2016-04-25 |
| Old CAPTCHA offers no protection |
None supplied |
cisplatin |
No rating |
2016-04-08 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed Hackevent Reports 
Disclosed HackerOne Reports 
Our community
Honourable Members
Member Contributions