Reports in semrush program: S.No Title Bounty 1 Cross-origin resource sharing misconfig | steal user information $0.0 2 subdomain takeover at news-static.semrush.com $0.0 3 Following links are vulnerable to clickjacking $0.0 4 Cross-origin resource sharing $0.0 5 Reflected XSS using Header Injection $0.0 6 Single Sing On - Clickjacking $0.0 7 Email Spoofing $0.0 8 Insecure Direct Object Reference on API without API key $0.0 9 Security misconfiguration "weak passwords". $0.0 10 Cross-origin resource sharing misconfig $0.0 11 XXE in Site Audit function exposing file and directory contents $0.0 12 clickjacking to Semrush auth login $0.0 13 Broken Authentication: A project addition request can be used multiple time for different users $0.0 14 SSLv3 Poodle Attack on Ip Of semrush $0.0 15 CORS (Cross-Origin Resource Sharing) $0.0 16 [oauth token leak] at oauth.semrush.com $0.0 17 XSS on redirection page( Bypassed) $0.0 18 Error Page Content Spoofing or Text Injection $0.0 19 Password reset token leakage via referer $0.0 20 Post Based XSS On Upload Via CK Editor [semrush.com] $0.0 21 Improper authentication on registration $0.0 22 Open Redirect $0.0 23 Stored XSS in '' Section and WAF Bypass $0.0 24 User Controllable Cookie $0.0 25 protocol & Ports are not shown in third-party site redirect warning page $0.0 26 Persistent CSV injection $0.0 27 Ports are not shown in third-party site redirect warning page. $0.0 28 Web cache deception attack - expose earning state information $0.0 29 XSS Reflected on my_report $0.0 30 Remote Code Execution on www.semrush.com/my_reports on Logo upload $0.0 31 SSRF In Get Video Contents $0.0 32 Github information leaked $0.0 33 Manipulation of exam results at Semrush.Academy $0.0 34 Open redirect in semrush.com $0.0 35 Code injection in https://www.semrush.com $0.0 36 Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image $0.0 37 CORS misconfiguration which leads to the disclosure of certain data concerning the user. $0.0 38 Ad Builder Display Ads Path Traversal $0.0 39 IDOR in semrush academy $0.0 40 Content Injection on api.semrush.com to Reflected XSS $0.0 41 An attacker can buy marketplace articles for lower prices as it allows for negative quantity values leading to business loss $0.0 42 IDOR in marketing calendar tool $0.0 43 Reflected XSS on https://www.semrush.com/my_reports/externalSource/callback/googleAccountsGMB $0.0 44 SSRF and LFI in site-audit tool $0.0 45 IDOR in the https://market.semrush.com/ $0.0 46 OAuth redirect_uri bypass using IDN homograph attack resulting in user's access token leakage $0.0 47 Broken validation of user Id for JWT Token $0.0 48 Improper input validation in projects leads to fully deny access to project resources $0.0 49 php info file and sql backup at vendor's subdomain $0.0 50 Critically Sensitive Spring Boot Endpoints Exposed $0.0 51 IDOR allowing to read another user's token on the Social Media Ads service $0.0 52 API key (api.semrush.com) leak in JS-file $0.0 53 IDOR allows information disclosure $0.0 54 Lack of sanitization of the billing address in pdf invoice $0.0 55 IDOR vulnerability reveals additional information $0.0 56 Exposure of service tokens to webpack bundle $0.0