Newrelic


reports in last 90 days

96

disclosed resolved issues

21

disclosed informative issues

3

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Low Mixed content issues on newrelic.com

Man-in-the-Middle reformedot Issue was not triaged


Time to close: 0 Days and 14 hours
Informative

Medium Blind SSRF in Ticketing Integrations Jira webhooks leading to internal network enumeration and blind HTTP requests

Server-Side Request Forgery (SSRF) ajxchapman Time to triage: 0 Days and 2 hours


Time to close: 7 Days and 3 hours
Resolved

High Password theft login.newrelic.com via Request Smuggling

HTTP Request Smuggling albinowax Time to triage: 2 Days and 8 hours


Time to close: 108 Days and 18 hours
Resolved

Medium Swiftype key stored in JavaScript source

None supplied sauravpratihar Time to triage: 1 Days and 6 hours


Time to close: 5 Days and 2 hours
Resolved

High Password theft login.newrelic.com via Request Smuggling

HTTP Request Smuggling albinowax Time to triage: 2 Days and 8 hours


Time to close: 108 Days and 18 hours
Resolved

No rating Users can enable API access for free via mass assignment

Privilege Escalation albinowax Time to triage: 0 Days and 2 hours


Time to close: 57 Days and 0 hours
Resolved

Low Restricted User is able to edit Alert Conditions of Synthetics Monitors even if Synthetics Permissions is enabled by an admin

Improper Authentication - Generic jon_bottarini Time to triage: 1 Days and 17 hours


Time to close: 152 Days and 0 hours
Resolved

Medium [docs-ra.newrelic.com] subdomain and Drupal takeover via unconfigured endpoint

Privilege Escalation ysx Time to triage: 3 Days and 1 hours


Time to close: 3 Days and 0 hours
Resolved

Low A user with restricted privileges is able to view Phone Number + Billing Email of account owner

Improper Authentication - Generic jon_bottarini Time to triage: 0 Days and 22 hours


Time to close: 119 Days and 11 hours
Resolved

Low Giving myself access to NR1 UI / one.newrelic.com without the proper feature flags on my account

Client-Side Enforcement of Server-Side Security jon_bottarini Time to triage: 0 Days and 15 hours


Time to close: 68 Days and 21 hours
Resolved

No rating WordPress User Enumeration - blog.newrelic.com

Information Disclosure niwasaki Issue was not triaged


Time to close: 1 Days and 20 hours
Informative

High [NR Insights] Pull any Insights/NRQL data from any NR account

Insecure Direct Object Reference (IDOR) jon_bottarini Time to triage: 0 Days and 16 hours


Time to close: 16 Days and 2 hours
Resolved

Medium WordPress username enumeration (/author)

Information Disclosure rootbakar Issue was not triaged


Time to close: 22 Days and 13 hours
Duplicate

Medium DNS misconfiguration on email.alerts.newrelic.com

Business Logic Errors hackerone77-222 Issue was not triaged


Time to close: 5 Days and 0 hours
Not-applicable

High Insecure Infrastructure Integrations YML Loading leads to Windows Privilege Escalation

Privilege Escalation fbogner Time to triage: 1 Days and 3 hours


Time to close: 77 Days and 19 hours
Resolved

Medium User to Admin privilege escalation in Infrastructure Conditions - /v2/accounts/1835740/alerts/conditions

Privilege Escalation michiel Time to triage: 0 Days and 21 hours


Time to close: 25 Days and 3 hours
Resolved

High Stored XSS in Brower `name` field reflected in two pages

Cross-site Scripting (XSS) - Stored ldionmarcil Time to triage: 1 Days and 15 hours


Time to close: 72 Days and 20 hours
Resolved

Medium Missing security best practices (leads to further impact)

Violation of Secure Design Principles badcracker Issue was not triaged


Time to close: 1 Days and 1 hours
Informative

Critical stamp2-azure-ext.newrelic.com is vulnerable to MS12-020

Remote File Inclusion scrszy Issue was not triaged


Time to close: 2 Days and 10 hours
Resolved

Low Captcha Bypass on SignUp Form

Privacy Violation apapedulimu Time to triage: 1 Days and 16 hours


Time to close: 203 Days and 22 hours
Resolved

High NR Internal_API call allows me to read the events/violations/policies/messages of ANY New Relic account (AND pull data from infrastructure)

Insecure Direct Object Reference (IDOR) jon_bottarini Time to triage: 0 Days and 15 hours


Time to close: 72 Days and 3 hours
Resolved

None XSS (Reflected)

Cross-site Scripting (XSS) - Generic mr_sharma_ Issue was not triaged


Time to close: 0 Days and 13 hours
Informative

Medium Hyperlink Injection on adding active users

Open Redirect japz Issue was not triaged


Time to close: 1 Days and 5 hours
Informative

No rating Broken Authentication and session management OWASP A2

Improper Authentication - Generic ho_nc Issue was not triaged


Time to close: 0 Days and 2 hours
Not-applicable

No rating Newrelic s3 bucket is writeable and deleteable by authorized AWS users

Improper Authentication - Generic kunal_bahl Issue was not triaged


Time to close: 23 Days and 1 hours
Informative