Semrush


reports in last 90 days

19

disclosed resolved issues

7

disclosed informative issues

4

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

High Github information leaked

Information Disclosure farmsec_alice Time to triage: 1 Days and 0 hours


Time to close: 8 Days and 8 hours
Resolved

Medium SSRF In Get Video Contents

Server-Side Request Forgery (SSRF) artemis233 Time to triage: 1 Days and 21 hours


Time to close: 1 Days and 0 hours
Resolved

Low XSS Reflected on my_report

Cross-site Scripting (XSS) - Reflected r0hack Time to triage: 3 Days and 20 hours


Time to close: 115 Days and 5 hours
Resolved

Critical Remote Code Execution on www.semrush.com/my_reports on Logo upload

Command Injection - Generic fransrosen Time to triage: 0 Days and 0 hours


Time to close: 25 Days and 1 hours
Resolved

Low Post Based XSS On Upload Via CK Editor [semrush.com]

Cross-site Scripting (XSS) - Reflected apapedulimu Time to triage: 2 Days and 3 hours


Time to close: 26 Days and 21 hours
Resolved

Low Ports are not shown in third-party site redirect warning page.

None supplied b3f53dc9b2061f7df0c2ffd Issue was not triaged


Time to close: 0 Days and 0 hours
Duplicate

Low Web cache deception attack - expose earning state information

Improper Access Control - Generic memon Issue was not triaged


Time to close: 17 Days and 8 hours
Informative

Low Open Redirect

Open Redirect ankit_singh Time to triage: 5 Days and 2 hours


Time to close: 15 Days and 18 hours
Resolved

Medium Stored XSS in '' Section and WAF Bypass

Cross-site Scripting (XSS) - Stored jimgogogo Time to triage: 3 Days and 1 hours


Time to close: 46 Days and 15 hours
Resolved

Low User Controllable Cookie

None supplied saya Issue was not triaged


Time to close: 2 Days and 4 hours
Not-applicable

No rating protocol & Ports are not shown in third-party site redirect warning page

Open Redirect prial261 Time to triage: 3 Days and 3 hours


Time to close: 0 Days and 1 hours
Resolved

Medium Persistent CSV injection

None supplied saya Issue was not triaged


Time to close: 2 Days and 1 hours
Not-applicable

Medium Improper authentication on registration

Improper Authentication - Generic lezibintlgent Issue was not triaged


Time to close: 3 Days and 11 hours
Not-applicable

Low Post Based XSS On Upload Via CK Editor [semrush.com]

Cross-site Scripting (XSS) - Reflected apapedulimu Time to triage: 2 Days and 3 hours


Time to close: 26 Days and 21 hours
Resolved

Low Password reset token leakage via referer

Violation of Secure Design Principles ethical_hacker30121996 Time to triage: 19 Days and 22 hours


Time to close: 91 Days and 7 hours
Resolved

Low Error Page Content Spoofing or Text Injection

Violation of Secure Design Principles asad_anwar Time to triage: 5 Days and 13 hours


Time to close: 79 Days and 14 hours
Resolved

Low XSS on redirection page( Bypassed)

Cross-site Scripting (XSS) - Reflected kunal94 Time to triage: 4 Days and 10 hours


Time to close: 23 Days and 22 hours
Resolved

High [oauth token leak] at oauth.semrush.com

Improper Authentication - Generic nikitastupin Time to triage: 1 Days and 21 hours


Time to close: 33 Days and 21 hours
Resolved

High Insecure Direct Object Reference on API without API key

None supplied scraps Issue was not triaged


Time to close: 20 Days and 1 hours
Informative

Medium Security misconfiguration "weak passwords".

Violation of Secure Design Principles whitehatmmalam Issue was not triaged


Time to close: 0 Days and 7 hours
Informative

Low Cross-origin resource sharing misconfig

Improper Authentication - Generic asad_anwar Issue was not triaged


Time to close: 3 Days and 19 hours
Duplicate

Critical XXE in Site Audit function exposing file and directory contents

XML External Entities (XXE) achapman Time to triage: 1 Days and 1 hours


Time to close: 0 Days and 18 hours
Resolved

None clickjacking to Semrush auth login

UI Redressing (Clickjacking) karrrtik Issue was not triaged


Time to close: 0 Days and 17 hours
Informative

High Broken Authentication: A project addition request can be used multiple time for different users

Key Exchange without Entity Authentication walterhwhite Issue was not triaged


Time to close: 0 Days and 11 hours
Informative

Low SSLv3 Poodle Attack on Ip Of semrush

Violation of Secure Design Principles h3r0es Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable