| Reflected XSS in VPN Appliance |
Cross-site Scripting (XSS) - Reflected |
mr-hakhak |
Medium |
2021-11-10 |
| Account takeover by using abandoned email id of victim which has already been changed to new by victim himself on one.newrelic.com |
Improper Authentication - Generic |
ashmek |
Low |
2021-07-02 |
| Untrusted deserialization issue when loading newrelic.yml file in Java agent leads to code execution on host |
Deserialization of Untrusted Data |
j0v |
Low |
2021-06-28 |
| Account Takeover via Email ID Change and Forgot Password Functionality |
Improper Authentication - Generic |
dsdh |
High |
2021-06-28 |
| removed user can still join the organization |
Business Logic Errors |
moon_shadow |
Low |
2021-05-10 |
| Stored XSS via malicious key value of Synthetics monitor tag when visiting an Insights dashboard with filtering enabled |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2021-04-20 |
| "Basic user" which can only access a limited subset of the platform can access certain pages which are restricted to the user by the account owner. |
Improper Access Control - Generic |
jhimansh |
None |
2020-09-22 |
| [NR Synthetics] Restricted User can add/modify alert conditions on monitors without any synthetics privileges |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user |
Information Disclosure |
jon_bottarini |
Medium |
2020-09-04 |
| Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2020-09-04 |
| [NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| Upgrade menu exposes the mobile application token meant to only be visible to administrators |
Privilege Escalation |
jon_bottarini |
Low |
2020-09-04 |
| Permissions leaks the full name of other NR accounts - Regression of #267636 |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| Full name of other accounts exposed through NR API Explorer (another workaround of #476958) |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Alerts/Synthetics?] User with no Synthetics permissions can view synthetic monitor details through /internal_api/ endpoint |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| Logic flaw enables restricted account to access account license key |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| IDOR via internal_api "users" endpoint |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Infrastructure] Restricted user can update integration provider account name via integrations API |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2020-09-04 |
| [NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894 |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-09-04 |
| [Synthetics/Infrastructure/everything] Individual account permissions are not properly managed and inherited on sub accounts |
Business Logic Errors |
jon_bottarini |
Medium |
2020-09-04 |
| User is able to access and create private synthetics locations without upgrading (regression of #276157) |
Client-Side Enforcement of Server-Side Security |
jon_bottarini |
Low |
2020-09-04 |
| Restricted user can bypass permissions restriction to create NR Alert policies |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions |
Privilege Escalation |
jon_bottarini |
Medium |
2020-09-04 |
| [NR Synthetics] Restricted user can view synthetics monitors and user permissions through .json endpoint at /permissions/securablemetadata/{GROUP ID} |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-26 |
| Adding a new user discloses their full name in the "Users" section of NR Alerts notification channels page |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-08-26 |
| [New Relic Infrastructure] Restricted User can still integrate with AWS via forced browsing (plus, a few other bugs) |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-26 |
| Internal API endpoint discloses full account name of email address associated with unconfirmed user |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2020-08-26 |
| Stored XSS via "my recent queries" selector in NRQL dashboard builder |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2020-08-24 |
| NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-24 |
| Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-24 |
| (Prerelease UI) Stored XSS via role name in JSON chart |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2020-08-24 |
| Passive stored XSS at Synthetics job result page (View resource) |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| CSRF at adding new role (user-management.service.newrelic.com) |
Cross-Site Request Forgery (CSRF) |
skavans |
Medium |
2020-08-13 |
| User can run monitors at private locations, which he has no access to |
Insecure Direct Object Reference (IDOR) |
skavans |
High |
2020-08-13 |
| Stored XSS at APM apps labels autocomplete dropdown (apps listing) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Disclosure of locally served nerdpacks due to nr-local.net CORS policy misconfiguration |
Information Disclosure |
skavans |
Low |
2020-08-13 |
| Cross-account reading of Insights dashboards through GraphQL |
Insecure Direct Object Reference (IDOR) |
skavans |
Medium |
2020-08-13 |
| Restricted user can remove NerdStorage documents/collections scoped to ACCOUNT or ENTITY |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Attacker can create new account inside any partnership with no approve from the Partnership owner |
Insecure Direct Object Reference (IDOR) |
skavans |
Medium |
2020-08-13 |
| Secure credentials values disclosure to regular users due to access control issue in monitor creating function |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Stored XSS firing at transaction map (applicationName field) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS firing at the "Add chart to note" popup |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Cross-account stored XSS at notes (through "swf" note parameter) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS at APM applications listing |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored admin-to-owner XSS at infrastructure alerts runbook URL leading to account takeover by malicious admin |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| One Click Remote Code Injection - *.blog.newrelic.com |
Code Injection |
arsene_lupin |
Medium |
2020-08-13 |
| Site-wide clickjacking at IE11 |
UI Redressing (Clickjacking) |
skavans |
Low |
2020-08-13 |
| Restricted user can manage the NerdGraph entities' tags |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Restricted user can update Apdex target for applications by leveraging the GraphQL mutation |
Improper Access Control - Generic |
skavans |
Medium |
2020-08-13 |
| Stored XSS at APM key transactions list |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS at Synthetics private locations (planted through location label or description) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS at Mobile (Versions tab) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| CSTI fix (#587829) bypass leading to stored XSS at plugins again |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS Via NRQL chartbuilder JSON view |
Cross-site Scripting (XSS) - Stored |
jon_bottarini |
High |
2020-08-13 |
| Stored XSS firing if the error occurs when trying to delete the APM app |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| CSRF at acknowledging an incident |
Cross-Site Request Forgery (CSRF) |
skavans |
Medium |
2020-08-13 |
| Restricted user can add and delete tags of APM key transactions |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-13 |
| Stored XSS at APM transaction map (transactionName field) |
Cross-site Scripting (XSS) - Stored |
skavans |
Medium |
2020-08-13 |
| Unsafe charts embedding implementation leads to cross-account stored XSS and SSRF |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| IDOR allows accounts to view full name of other accounts based on email through share notes feature |
Privilege Escalation |
jon_bottarini |
Medium |
2020-08-13 |
| Ability to buy PRO subscriptions by arbitrary reduced prices |
Business Logic Errors |
skavans |
Low |
2020-08-13 |
| Cross-account stored XSS at embedded charts |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Stored XSS in notes (charts) because of insecure chart data JSON generation |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| NR-wide cross account access through misconfigured CORS-policy of multiple endpoints |
Improper Access Control - Generic |
skavans |
High |
2020-08-13 |
| Ability to run monitors' jobs of other accounts and to read these jobs content (including the secure credentials values) |
Insecure Direct Object Reference (IDOR) |
skavans |
High |
2020-08-13 |
| CSTI at Plugin page leading to active stored XSS (Publisher name) |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Urgent! Stored XSS at plugin's violations leading to account takeover |
Cross-site Scripting (XSS) - Stored |
skavans |
High |
2020-08-13 |
| Bypass of #447975 - view mobile application token though "Application Information" sidebar on Installation page |
Privilege Escalation |
jon_bottarini |
Low |
2020-08-13 |
| [synthetics.newrelic.com] SMTP header injection leads to (mass) arbitrary email sending |
CRLF Injection |
ldionmarcil |
Medium |
2020-07-15 |
| Host Header Injection |
Open Redirect |
masterhackor |
Low |
2020-01-27 |
| Password theft login.newrelic.com via Request Smuggling |
HTTP Request Smuggling |
albinowax |
High |
2019-08-30 |
| Password theft login.newrelic.com via Request Smuggling |
HTTP Request Smuggling |
albinowax |
High |
2019-08-30 |
| Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account |
Client-Side Enforcement of Server-Side Security |
jon_bottarini |
Low |
2019-06-17 |
| Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account |
Client-Side Enforcement of Server-Side Security |
jon_bottarini |
Low |
2019-06-17 |
| WordPress username enumeration (/author) |
Information Disclosure |
rootbakar |
Medium |
2018-10-19 |
| [NR Insights] Pull any Insights/NRQL data from any NR account |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2018-10-15 |
| DNS misconfiguration on email.alerts.newrelic.com |
Business Logic Errors |
hackerone77-222 |
Medium |
2018-09-17 |
| Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation |
Privilege Escalation |
fbogner |
High |
2018-08-29 |
| User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions |
Privilege Escalation |
michiel |
Medium |
2018-08-17 |
| stamp2-azure-ext.newrelic.com is vulnerable to MS12-020 |
Remote File Inclusion |
scrszy |
Critical |
2018-07-25 |
| Missing security best practices (leads to further impact) |
Violation of Secure Design Principles |
badcracker |
Medium |
2018-07-25 |
| Stored XSS in Brower `name` field reflected in two pages |
Cross-site Scripting (XSS) - Stored |
ldionmarcil |
High |
2018-07-20 |
| Captcha Bypass on SignUp Form |
Privacy Violation |
apapedulimu |
Low |
2018-05-10 |
| [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key |
Privilege Escalation |
jon_bottarini |
Medium |
2018-05-02 |
| Manipulation of submit payment request allows me to obtain Infrastructure Pro/Other Services for free or at greatly reduced price |
Business Logic Errors |
jon_bottarini |
Medium |
2018-05-02 |
| Newrelic s3 bucket is writeable and deleteable by authorized AWS users |
Improper Authentication - Generic |
kunal_bahl |
No rating |
2018-05-02 |
| Broken Authentication and session management OWASP A2 |
Improper Authentication - Generic |
ho_nc |
No rating |
2018-05-02 |
| Hyperlink Injection on adding active users |
Open Redirect |
japz |
Medium |
2018-05-02 |
| XSS (Reflected) |
Cross-site Scripting (XSS) - Generic |
mr_sharma_ |
None |
2018-05-02 |
| NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure) |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
High |
2018-05-02 |
| Bypass of my three other reports #267636 + #255894 + #271861 - (IDOR) Ability to see full name associated with other New Relic accounts |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2018-05-01 |
| Drupal admin takeover via install.php not being performed prior to install. |
Privilege Escalation |
grampae |
High |
2018-04-23 |
| Bypass of my two other reports #267636 + #255894 - (IDOR) Ability to see full name associated with other New Relic accounts |
Insecure Direct Object Reference (IDOR) |
jon_bottarini |
Medium |
2017-12-07 |
| Unvalidated redirect in alerts.newrelic.com/auth/newrelic?origin= |
Open Redirect |
everardo |
No rating |
2017-11-10 |
| SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability |
Cryptographic Issues - Generic |
guifre |
Low |
2017-11-10 |
| Sub domain issues. |
None supplied |
itsaj3 |
No rating |
2017-11-10 |
| Stored XSS on BillingCountry parameter |
Cross-site Scripting (XSS) - Generic |
tsug0d |
High |
2017-11-10 |
| A user with restricted privileges is able to view Phone Number + Billing Email of account owner |
Improper Authentication - Generic |
jon_bottarini |
Low |
2017-10-16 |
| Open redirection |
Open Redirect |
seifelsallamy |
Low |
2017-10-14 |
| Cross site scripting in a subdomain of newrelic.com |
Cross-site Scripting (XSS) - Generic |
asaxena2190 |
Medium |
2017-10-12 |
| Privilege Escalation in Default Notification Preferences |
Privilege Escalation |
r0x33d |
No rating |
2017-10-12 |
| Privilege Escalation in Share Report |
Privilege Escalation |
r0x33d |
No rating |
2017-10-12 |
| [docs-ra.newrelic.com] subdomain and Drupal takeover via unconfigured endpoint |
Privilege Escalation |
ysx |
Medium |
2017-10-12 |
| Restricted User is able to edit Alert Conditions of Synthetics Monitors even if Synthetics Permissions is enabled by an admin |
Improper Authentication - Generic |
jon_bottarini |
Low |
2017-10-12 |
| CSRF For Adding Users |
None supplied |
atestpk |
Medium |
2017-10-12 |
| newrelic.atlassian.net - jira information disclosure |
Improper Authentication - Generic |
fng |
Low |
2017-10-12 |
| /accounts/USERID.json file is left open for Restricted User of organization disclosing Owners's Mobile Number and "billing_info, cc_email" |
Information Disclosure |
sahilmk |
No rating |
2017-10-12 |
| Insecure transition from HTTP to HTTPS in form post |
Information Disclosure |
d0rkerdevil |
No rating |
2017-10-12 |
| Directory listing - i am able to download all php_agent archive |
Information Disclosure |
cj862530 |
No rating |
2017-10-12 |
| Sensitive information disclosure |
Information Disclosure |
kothari |
No rating |
2017-10-12 |
| Moniter Failed Sends too many emails |
None supplied |
lulliii |
No rating |
2017-10-12 |
| Internal Ports Scanning via Blind SSRF |
Information Disclosure |
tungpun |
No rating |
2017-10-11 |
| SSRF in alerts.newrelic.com exposes entire internal network |
Server-Side Request Forgery (SSRF) |
albinowax |
Critical |
2017-08-22 |
| Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc. |
Improper Authentication - Generic |
jon_bottarini |
Low |
2017-04-27 |
| Open Redirect |
Open Redirect |
intricate |
No rating |
2017-03-20 |
| Session Hijacking |
Improper Authentication - Generic |
xia_ulhusnain |
No rating |
2017-03-20 |
| Cache purge requests are not authenticated |
None supplied |
nuc |
No rating |
2017-03-20 |
| XSS in a newrelic.com site |
Cross-site Scripting (XSS) - Generic |
sinkmanu |
No rating |
2017-03-20 |
| JIRA account misconfig causes internal info leak |
Information Disclosure |
kamil_hism |
No rating |
2017-03-20 |
| CSRF- delete all empty server policy |
Cross-Site Request Forgery (CSRF) |
amit29sept |
No rating |
2017-03-20 |
| CSRF - Delete all empty application policy |
Cross-Site Request Forgery (CSRF) |
amit29sept |
No rating |
2017-03-20 |
| https://rpm.newrelic.com/login vulnerable to host header attack |
Open Redirect |
geeknik |
No rating |
2017-03-20 |
| No Rate Limitation on Promo Code |
Memory Corruption - Generic |
daniyal_nasir |
No rating |
2017-03-20 |
| Reflected XSS on Signup Page |
Cross-site Scripting (XSS) - Generic |
itly |
No rating |
2017-03-20 |
| Unauthorized Access |
Improper Authentication - Generic |
apt |
No rating |
2017-03-20 |
| A Signup page does not properly validate the authenticity token at the server side. |
Cross-Site Request Forgery (CSRF) |
waqar_vicky |
No rating |
2017-03-20 |
| A Log in page does not properly validate the authenticity token at the server side |
Cross-Site Request Forgery (CSRF) |
waqar_vicky |
No rating |
2017-03-20 |
| Html injection in monitor name textbox |
Open Redirect |
zuh4n |
No rating |
2017-02-22 |
| [alerts.newrelic.com] Scanning local network via notification channel |
Privilege Escalation |
s_p_q_r |
No rating |
2017-02-21 |
| [download.newrelic.com] Access to private directories |
Privilege Escalation |
s_p_q_r |
No rating |
2017-02-21 |
| Mobile Authentication Endpoint Credentials Brute-Force Vulnerability |
Improper Authentication - Generic |
arneswinnen |
No rating |
2017-02-19 |
| Privilege Escalation In Moniter |
Privilege Escalation |
czd |
No rating |
2017-02-19 |
| Improper Session Management |
None supplied |
czd |
No rating |
2017-02-19 |
| open redirection at login |
Open Redirect |
seifelsallamy |
No rating |
2017-02-18 |
| Open redirection bypass . |
Open Redirect |
rohan_x3 |
No rating |
2017-02-18 |
| Potential sub-domain hijacking |
None supplied |
danielhartnell |
Low |
2017-02-18 |
| SSO Authentication Bypass |
Improper Authentication - Generic |
danielhartnell |
No rating |
2017-02-18 |
| Leaking license key in source code |
Information Disclosure |
pradeepch99 |
No rating |
2017-02-18 |
| Cache-Control Misconfiguration Leads to Sensitive Information Leakage |
Information Disclosure |
geekboy |
No rating |
2017-02-18 |
| APT repository is signed using weak digest (SHA-1) |
Cryptographic Issues - Generic |
reed |
Low |
2017-02-18 |
| CSRF vulnerability that allows an attacker to purge plugin metric data |
Cross-Site Request Forgery (CSRF) |
martijn |
No rating |
2016-12-05 |
| Stored Xss in rpm.newrelic.com |
Cross-site Scripting (XSS) - Generic |
hackerwahab |
No rating |
2016-11-14 |
| Emails and alert policies can be altered by malicious users. |
Improper Authentication - Generic |
hogarth45 |
No rating |
2016-11-04 |
| Host Header Injection / Cache Poisoning |
None supplied |
pavanw3b |
No rating |
2016-11-04 |
| Cookie Misconfiguration |
Improper Authentication - Generic |
cjlegacion |
No rating |
2016-11-04 |
| Open redirection |
Open Redirect |
seifelsallamy |
No rating |
2016-11-03 |
| Session Management Flaw |
Improper Authentication - Generic |
babayaga_ |
No rating |
2016-10-08 |
| HOST HEADER INJECTION in rpm.newrelic.com |
Open Redirect |
noob-boy |
No rating |
2016-10-08 |
| Password disclosure during signup process |
Information Disclosure |
foundstone-kunal |
No rating |
2016-09-26 |
| Sensitive information contained with New Relic APM iOS application |
Information Disclosure |
todayisnew |
No rating |
2016-09-26 |
| Unsafe HTML in reset password email and Account verification in email is missing in Sign up |
Open Redirect |
karthic |
No rating |
2016-09-26 |
| newrelic.com rails directory traversal vuln |
Code Injection |
droidsec |
No rating |
2016-09-26 |
| Login Open Redirect |
Open Redirect |
pewpew |
No rating |
2016-09-19 |
| Basic Authorization over HTTP |
Improper Authentication - Generic |
hassham |
No rating |
2016-09-07 |
| SSRF on synthetics.newrelic.com permitting access to sensitive data |
Information Disclosure |
ylujion |
No rating |
2016-09-05 |
| Blind SSRF on synthetics.newrelic.com |
Information Disclosure |
ylujion |
No rating |
2016-09-05 |
| Java RMI (Remote Code Execution) |
Code Injection |
leba |
No rating |
2016-09-02 |
| User enumeration possible from log-in timing difference |
None supplied |
cisplatin |
No rating |
2016-08-27 |
| CSV Injection in sub_accounts.csv |
Command Injection - Generic |
cisplatin |
No rating |
2016-08-27 |
| CSRF - Regenerate all admin api keys |
Cross-Site Request Forgery (CSRF) |
scorppy |
No rating |
2016-08-27 |
| Server Side Browsing - localhost open port enumeration |
Information Disclosure |
aiacobelli |
No rating |
2016-08-27 |
| No validation on account names |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-08-27 |
| Missing rate limit on password |
Improper Authentication - Generic |
malcolmx |
No rating |
2016-08-27 |
| http://newrelic.com SSRF/XSPA |
None supplied |
grampae |
No rating |
2016-08-27 |
| Login CSRF vulnerability |
Cross-Site Request Forgery (CSRF) |
jackcyril |
No rating |
2016-08-13 |
| All Active user sessions should be destroyed when user change his password! |
Improper Authentication - Generic |
rahul_ch |
No rating |
2016-08-13 |
| Vulnerable Link Leaks the User Names |
Improper Authentication - Generic |
daniyal_nasir |
No rating |
2016-08-06 |
| All the active session should destroy when user change his password |
Improper Authentication - Generic |
smil3 |
No rating |
2016-08-06 |
| no email confirmation on signup |
None supplied |
rahul_ch |
No rating |
2016-08-06 |
| newrelic.com vulnerable to clickjacking ! |
None supplied |
rahul_ch |
No rating |
2016-08-06 |
| No CSRF validation on Account Monitors in Synthetics Block |
Cross-Site Request Forgery (CSRF) |
daniyal_nasir |
No rating |
2016-07-13 |
| Normal user can set "Job title" of other users by Direct Object Reference |
Privilege Escalation |
sarwarjahan |
No rating |
2016-07-13 |
| Potential Subdomain Takeover - http://storefront.newrelic.com/ |
Privilege Escalation |
charliehacks |
No rating |
2016-06-20 |
| Html injection in monitor name textbox |
Open Redirect |
karthic |
No rating |
2016-06-20 |
| Open redirection bypass |
Open Redirect |
shailesh4594 |
No rating |
2016-06-13 |
| rpm.newrelic.com - monitor creation to other accounts |
None supplied |
vikinghoarder |
No rating |
2016-06-13 |
| Session takeover |
None supplied |
thalaivar__subu |
No rating |
2016-06-07 |
| [login.newrelic.com] XSS via return_to |
Cross-site Scripting (XSS) - Generic |
s_p_q_r |
No rating |
2016-05-23 |
| Stored XSS through Angular Expression Sandbox Escape |
Cross-site Scripting (XSS) - Generic |
ryhanson |
No rating |
2016-05-22 |
| SUBDOMAIN TAKEOVER(FIXED) |
Violation of Secure Design Principles |
kiraak-boy |
No rating |
2016-05-21 |
| Open redirection on login |
Open Redirect |
shailesh4594 |
No rating |
2016-05-21 |
| https://rpm.newrelic.com/.htaccess file is world readable |
Information Disclosure |
geeknik |
No rating |
2016-05-21 |
| Clickjacking on authenticated pages which is inscope for New Relic |
Improper Authentication - Generic |
trabajoduro_2 |
No rating |
2016-05-21 |
| New Relic - Session Hijacking |
None supplied |
ahsan |
No rating |
2016-05-13 |
| Stored Cross-Site Scripting via Angular Template Injection |
Cross-site Scripting (XSS) - Generic |
fitzpr |
No rating |
2016-05-09 |
| Too many included lookups |
Memory Corruption - Generic |
trabajoduro_2 |
No rating |
2016-05-03 |
| Synthetics Xss |
Command Injection - Generic |
mg94 |
No rating |
2016-04-25 |
| Old CAPTCHA offers no protection |
None supplied |
cisplatin |
No rating |
2016-04-08 |
Disclosed Hackevent Reports 
Disclosed HackerOne Reports