Semrush Bug Bounty Program Statistics

Semrush Program Statistics

37 total issues disclosed

$31,766 total paid publicly

Most disclosed (7 disclosures) — Violation of Secure Design Principles

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
php info file and sql backup at vendor's subdomain	Information Disclosure	rivalsec	Low	2021-12-08
OAuth `redirect_uri` bypass using IDN homograph attack resulting in user's access token leakage	Information Disclosure	yassineaboukir	Medium	2020-06-18
IDOR in the https://market.semrush.com/	Improper Access Control - Generic	albatraoz	Critical	2020-04-30
SSRF and LFI in site-audit tool	None supplied	a_d_a_m	High	2020-04-30
An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss	Business Logic Errors	yashrs	High	2020-04-02
IDOR in marketing calendar tool	Insecure Direct Object Reference (IDOR)	a_d_a_m	Medium	2020-04-02
Content Injection on api.semrush.com to Reflected XSS	Cross-site Scripting (XSS) - Reflected	nikitastupin	Low	2020-04-02
Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB	Cross-site Scripting (XSS) - Reflected	ziko_amazigh	Low	2020-04-02
IDOR in semrush academy	Insecure Direct Object Reference (IDOR)	a_d_a_m	Medium	2020-02-28
Ad Builder Display Ads Path Traversal	Path Traversal	ajxchapman	Medium	2020-02-28
CORS misconfiguration which leads to the disclosure of certain data concerning the user.	Improper Access Control - Generic	a_d_a_m	Low	2020-02-15
Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image	Violation of Secure Design Principles	seeu	Medium	2020-01-10
Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image	Violation of Secure Design Principles	seeu	Medium	2020-01-10
Github information leaked	Information Disclosure	farmsec_alice	High	2019-09-25
SSRF In Get Video Contents	Server-Side Request Forgery (SSRF)	artemis233	Medium	2019-08-19
Remote Code Execution on www.semrush.com/my_reports on Logo upload	Command Injection - Generic	fransrosen	Critical	2019-06-24
Improper authentication on registration	Improper Authentication - Generic	lezibintlgent	Medium	2018-08-24
Post Based XSS On Upload Via CK Editor [semrush.com]	Cross-site Scripting (XSS) - Reflected	apapedulimu	Low	2018-08-17
Password reset token leakage via referer	Violation of Secure Design Principles	ethical_hacker30121996	Low	2018-08-14
Error Page Content Spoofing or Text Injection	Violation of Secure Design Principles	asad_anwar	Low	2018-06-29
XSS on redirection page( Bypassed)	Cross-site Scripting (XSS) - Reflected	kunal94	Low	2018-06-13
[oauth token leak] at oauth.semrush.com	Improper Authentication - Generic	nikitastupin	High	2018-04-17
CORS (Cross-Origin Resource Sharing)	Improper Authentication - Generic	asad_anwar	Low	2018-03-20
Email Spoofing	Violation of Secure Design Principles	protector47	Medium	2018-03-13
SSLv3 Poodle Attack on Ip Of semrush	Violation of Secure Design Principles	h3r0es	Low	2018-03-13
Broken Authentication: A project addition request can be used multiple time for different users	Key Exchange without Entity Authentication	walterhwhite	High	2018-03-13
clickjacking to Semrush auth login	UI Redressing (Clickjacking)	karrrtik	None	2018-03-13
XXE in Site Audit function exposing file and directory contents	XML External Entities (XXE)	achapman	Critical	2018-03-13
Cross-origin resource sharing misconfig	Improper Authentication - Generic	asad_anwar	Low	2018-03-13
Security misconfiguration "weak passwords".	Violation of Secure Design Principles	whitehatmmalam	Medium	2018-03-13
Insecure Direct Object Reference on API without API key	None supplied	scraps	High	2018-03-13
Single Sing On - Clickjacking	UI Redressing (Clickjacking)	r0p3	Low	2018-02-21
Reflected XSS using Header Injection	Cross-site Scripting (XSS) - Reflected	inferno-	Low	2018-01-18
Cross-origin resource sharing	None supplied	sureshbudharapu	High	2018-01-11
Following links are vulnerable to clickjacking	UI Redressing (Clickjacking)	karma1	Low	2018-01-11
subdomain takeover at news-static.semrush.com	None supplied	0ways	High	2018-01-10
Cross-origin resource sharing misconfig \| steal user information	None supplied	bughunterboy	Medium	2017-12-17

BugBountyHunter

Semrush Program Statistics

Disclosed Reports