Hey team, I've discovered one more stored XSS, this one is at the embedded chart page. ##Steps tp reproduce 1) Sign into NR, navigate to any Mobile app -> Interactions 2) Click `...` near any chart, then choose `Embed`. Select `OK` at the confirm box. 3) Intercept the chart embedding POST request: ```http POST /accounts/2385914/embedded_charts.json HTTP/1.1 Host: rpm.newrelic.com url=/chart_data%2Fmetric_charts%2Fsingle_metric.json...&chart_title=title ``` 4) Change a `chart_title` parameter to `` and send the changed request 5) Navigate to Tools -> Embedded charts, click `Show chart & embed code` 6) Alert is popped up {F602612} 7) Copy the `src` of iframe from embed code and navigate to it at the separate tab 8) Alert is popped up again {F602613} What is pretty bad about this issue is that: - the XSS is cross-account, so attacker can attack other accounts' users; - the vulnerable page is build to be embeddable, so attacker can embed it into his own resource and **every user visiting his page will be attacked**. {F602615} Look at the address bar, this screenshot is from my own website. But the JS payload is executed inside your `rpm.newrelic.com` domain context because I embed the iframe to the vulnerable page at my site. The issue lies inside the fact that you don't properly escape the chart title before injecting it inside script at embedded chart page (like https://rpm.newrelic.com/public/charts/jwBDr0K0WhZ): ```html ", liveChart: false, dataApiUrl: '', zoom_url: '', dataApiField: '', addToDashboard: true, embeddable: true }); }; jQuery.rpm.highcharts.registerRender(loadChart); }); ``` ## Impact Cross-account embeddable through iframe stored XSS

New Relic: Cross-account stored XSS at embedded charts