Web analytics firm SEMrush patched a remote code execution vulnerability that allowed attackers to open a reverse shell that could be used to attack the service. The bug was tied to SEMrush s Report Builder feature that allows users to generate custom web analytics reports using their own branding. The problem was how SEMrush handled logo images uploaded to the platform and the use of an unpatched version of ImageMagick, a web service used to process images. SEMrush said the impact was limited to an isolated portion of its main platform.
Source: https://threatpost.com/semrush-plugs-remote-code-execution-bug-in-its-saas-platform/146003/