Hey team, I have discovered the CSTI vulnerability at NR single Plugin page leading to stored XSS. To plant the payload you need to publish new plugin using account having the payload inside its name. Below I show you the easiest way to reproduce this using a python script which creates the new plugin using the Plugins API. ###Steps to reproduce: 1) Sign into the NR app with "Admin" account 2) Change the account name to `xsstest{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}` 3) Open attached python-script and change the `YOUR_LICENSE_KEY` to your own license key 4) Install the necessary python dependency with `sudo pip install requests` 5) Run the changed script with `python nr_new_plugin.py` 6) Navigate to NR Plugins and then to your new created plugin 7) Make sure the XSS payload is fired {F494473} ###Remediation The vulnerability exists because of using the Angular framework. Here is the HTML-code of plugin page: ```html ...

Published and supported by

PUBLISHER_NAME_HERE

About us | ... ``` As you can see, the `PUBLISHER_NAME_HERE` is inside the element which is the Angular-app container (`
`, look at the `ng-app` attribute). It means that its content will be considered as Angular template so attacker can use the Angular template sandbox escape vulnerability to trigger an XSS here. The right way to fix this is not to return the user controlled data inside the Angular app container. All user controlled data should be retrieved using Angular built-in AJAX. As the immediate fix, you can just filter the `{}` signs. The vulnerability impact seems to be **higher than usual**, because after publishing this plugin, **every user from any account can be attacked**, when he visits the infected plugin page, not only users inside the attacker's account. So the impact here is up to the **arbitrary account takeover**. ## Impact Attacker can force victim to execute arbitrary JS-code.

New Relic: CSTI at Plugin page leading to active stored XSS (Publisher name)