IDOR via internal_api "users" endpoint
π https://hackerone.com/reports/349291
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
π https://hackerone.com/reports/349291
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:55am (UTC)
[NR Insights] Data app permissions setting does not fully prevent other users from modifying/changing changing data related to your data app
π https://hackerone.com/reports/388743
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:56am (UTC)
π https://hackerone.com/reports/388743
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:56am (UTC)
[NR Infrastructure] Restricted user can update integration provider account name via integrations API
π https://hackerone.com/reports/397483
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:57am (UTC)
π https://hackerone.com/reports/397483
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:57am (UTC)
Permissions leaks the full name of other NR accounts - Regression of #267636
π https://hackerone.com/reports/347665
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
π https://hackerone.com/reports/347665
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
[NR Alerts] Internal API exposes Synthetics monitor details to a restricted user without view monitor permissions
π https://hackerone.com/reports/386556
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
π https://hackerone.com/reports/386556
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:58am (UTC)
[NR Alerts/Synthetics?] User with no Synthetics permissions can view synthetic monitor details through /internal_api/ endpoint
π https://hackerone.com/reports/320200
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:59am (UTC)
π https://hackerone.com/reports/320200
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 10:59am (UTC)
Restricted user can bypass permissions restriction to create NR Alert policies
π https://hackerone.com/reports/380413
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
π https://hackerone.com/reports/380413
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
[NR Insights] IDOR - Modify the filter settings for any NR Insights dashboard through internal_api endpoint
π https://hackerone.com/reports/459443
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
π https://hackerone.com/reports/459443
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
Upgrade menu exposes the mobile application token meant to only be visible to administrators
π https://hackerone.com/reports/447975
πΉ Severity: Low | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
π https://hackerone.com/reports/447975
πΉ Severity: Low | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:00am (UTC)
Ability to view monitor names of other NR accounts through internal API (v3) via "monitor_id" parameter
π https://hackerone.com/reports/462321
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:03am (UTC)
π https://hackerone.com/reports/462321
πΉ Severity: High | π° 2,000 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:03am (UTC)
[NR Alerts/Synthetics] IDOR through /policies.json with Synthetics exposes full name of other NR users
π https://hackerone.com/reports/419875
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:04am (UTC)
π https://hackerone.com/reports/419875
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:04am (UTC)
Full name of other accounts exposed through NR API Explorer (another workaround of #476958)
π https://hackerone.com/reports/520518
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:07am (UTC)
π https://hackerone.com/reports/520518
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 11:07am (UTC)
[Synthetics/Infrastructure/everything] Individual account permissions are not properly managed and inherited on sub accounts
π https://hackerone.com/reports/268541
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:06pm (UTC)
π https://hackerone.com/reports/268541
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:06pm (UTC)
[NR Synthetics] (IDOR) Ability to see full name associated with other New Relic accounts through workaround of #255894
π https://hackerone.com/reports/267636
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
π https://hackerone.com/reports/267636
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
Logic flaw enables restricted account to access account license key
π https://hackerone.com/reports/200576
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
π https://hackerone.com/reports/200576
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:08pm (UTC)
GET request to accounts.json on support site leaks the root account license key and the browser license key to a restricted user
π https://hackerone.com/reports/479135
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:09pm (UTC)
π https://hackerone.com/reports/479135
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 5:09pm (UTC)
Reflected-XSS on https://www.topcoder.com/tc via pt parameter
π https://hackerone.com/reports/789652
πΉ Severity: Medium
πΉ Reported To: Topcoder
πΉ Reported By: #laz0rde
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 7:53pm (UTC)
π https://hackerone.com/reports/789652
πΉ Severity: Medium
πΉ Reported To: Topcoder
πΉ Reported By: #laz0rde
πΉ State: π’ Resolved
πΉ Disclosed: September 4, 2020, 7:53pm (UTC)
[extend-merge] Prototype pollution
π https://hackerone.com/reports/878339
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: September 6, 2020, 1:00pm (UTC)
π https://hackerone.com/reports/878339
πΉ Severity: High
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #d3lla
πΉ State: π’ Resolved
πΉ Disclosed: September 6, 2020, 1:00pm (UTC)
Reading arbitrary files via running arbitrary python code
π https://hackerone.com/reports/974697
πΉ Severity: No Rating
πΉ Reported To: BugPoC
πΉ Reported By: #hackk9
πΉ State: π΄ N/A
πΉ Disclosed: September 6, 2020, 1:17pm (UTC)
π https://hackerone.com/reports/974697
πΉ Severity: No Rating
πΉ Reported To: BugPoC
πΉ Reported By: #hackk9
πΉ State: π΄ N/A
πΉ Disclosed: September 6, 2020, 1:17pm (UTC)
Keychain data persistence may lead to account takeover
π https://hackerone.com/reports/761975
πΉ Severity: Low | π° 100 USD
πΉ Reported To: QIWI
πΉ Reported By: #0x3c3e
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 2:47pm (UTC)
π https://hackerone.com/reports/761975
πΉ Severity: Low | π° 100 USD
πΉ Reported To: QIWI
πΉ Reported By: #0x3c3e
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 2:47pm (UTC)
XSS on https://fax.pbx.itsendless.org/ (CVE-2017-18024)
π https://hackerone.com/reports/963798
πΉ Severity: Medium
πΉ Reported To: Endless Hosting
πΉ Reported By: #pirneci
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 5:42pm (UTC)
π https://hackerone.com/reports/963798
πΉ Severity: Medium
πΉ Reported To: Endless Hosting
πΉ Reported By: #pirneci
πΉ State: π’ Resolved
πΉ Disclosed: September 7, 2020, 5:42pm (UTC)