Semrush


37 total issues disclosed

$31,766 total paid publicly


Most disclosed (7 disclosures) — Violation of Secure Design Principles

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
php info file and sql backup at vendor's subdomain Information Disclosure rivalsec Low 2021-12-08
OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage Information Disclosure yassineaboukir Medium 2020-06-18
IDOR in the https://market.semrush.com/ Improper Access Control - Generic albatraoz Critical 2020-04-30
SSRF and LFI in site-audit tool None supplied a_d_a_m High 2020-04-30
An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss Business Logic Errors yashrs High 2020-04-02
IDOR in marketing calendar tool Insecure Direct Object Reference (IDOR) a_d_a_m Medium 2020-04-02
Content Injection on api.semrush.com to Reflected XSS Cross-site Scripting (XSS) - Reflected nikitastupin Low 2020-04-02
Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB Cross-site Scripting (XSS) - Reflected ziko_amazigh Low 2020-04-02
IDOR in semrush academy Insecure Direct Object Reference (IDOR) a_d_a_m Medium 2020-02-28
Ad Builder Display Ads Path Traversal Path Traversal ajxchapman Medium 2020-02-28
CORS misconfiguration which leads to the disclosure of certain data concerning the user. Improper Access Control - Generic a_d_a_m Low 2020-02-15
Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image Violation of Secure Design Principles seeu Medium 2020-01-10
Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image Violation of Secure Design Principles seeu Medium 2020-01-10
Github information leaked Information Disclosure farmsec_alice High 2019-09-25
SSRF In Get Video Contents Server-Side Request Forgery (SSRF) artemis233 Medium 2019-08-19
Remote Code Execution on www.semrush.com/my_reports on Logo upload Command Injection - Generic fransrosen Critical 2019-06-24
Improper authentication on registration Improper Authentication - Generic lezibintlgent Medium 2018-08-24
Post Based XSS On Upload Via CK Editor [semrush.com] Cross-site Scripting (XSS) - Reflected apapedulimu Low 2018-08-17
Password reset token leakage via referer Violation of Secure Design Principles ethical_hacker30121996 Low 2018-08-14
Error Page Content Spoofing or Text Injection Violation of Secure Design Principles asad_anwar Low 2018-06-29
XSS on redirection page( Bypassed) Cross-site Scripting (XSS) - Reflected kunal94 Low 2018-06-13
[oauth token leak] at oauth.semrush.com Improper Authentication - Generic nikitastupin High 2018-04-17
CORS (Cross-Origin Resource Sharing) Improper Authentication - Generic asad_anwar Low 2018-03-20
Email Spoofing Violation of Secure Design Principles protector47 Medium 2018-03-13
SSLv3 Poodle Attack on Ip Of semrush Violation of Secure Design Principles h3r0es Low 2018-03-13
Broken Authentication: A project addition request can be used multiple time for different users Key Exchange without Entity Authentication walterhwhite High 2018-03-13
clickjacking to Semrush auth login UI Redressing (Clickjacking) karrrtik None 2018-03-13
XXE in Site Audit function exposing file and directory contents XML External Entities (XXE) achapman Critical 2018-03-13
Cross-origin resource sharing misconfig Improper Authentication - Generic asad_anwar Low 2018-03-13
Security misconfiguration "weak passwords". Violation of Secure Design Principles whitehatmmalam Medium 2018-03-13
Insecure Direct Object Reference on API without API key None supplied scraps High 2018-03-13
Single Sing On - Clickjacking UI Redressing (Clickjacking) r0p3 Low 2018-02-21
Reflected XSS using Header Injection Cross-site Scripting (XSS) - Reflected inferno- Low 2018-01-18
Cross-origin resource sharing None supplied sureshbudharapu High 2018-01-11
Following links are vulnerable to clickjacking UI Redressing (Clickjacking) karma1 Low 2018-01-11
subdomain takeover at news-static.semrush.com None supplied 0ways High 2018-01-10
Cross-origin resource sharing misconfig | steal user information None supplied bughunterboy Medium 2017-12-17