CWE-425
AllowedDirect Request ('Forced Browsing')
Abstraction: Base · Status: Incomplete
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
269 vulnerabilities reference this CWE, most recent first.
GHSA-4487-MJX5-9V4R
Vulnerability from github – Published: 2022-10-11 19:00 – Updated: 2022-10-12 12:00A Vertical Privilege Escalation issue in Merchandise Online Store v.1.0 allows an attacker to get access to the admin dashboard.
{
"affected": [],
"aliases": [
"CVE-2022-42238"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-11T18:15:00Z",
"severity": "HIGH"
},
"details": "A Vertical Privilege Escalation issue in Merchandise Online Store v.1.0 allows an attacker to get access to the admin dashboard.",
"id": "GHSA-4487-mjx5-9v4r",
"modified": "2022-10-12T12:00:22Z",
"published": "2022-10-11T19:00:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42238"
},
{
"type": "WEB",
"url": "https://github.com/draco1725/localpriv/blob/main/poc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-44G9-QRMG-2WVF
Vulnerability from github – Published: 2022-10-20 19:00 – Updated: 2022-10-21 19:01In Simple Exam Reviewer Management System v1.0 the User List function has improper access control that allows low privileged users to modify user permissions to higher privileges.
{
"affected": [],
"aliases": [
"CVE-2022-42197"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-20T13:15:00Z",
"severity": "MODERATE"
},
"details": "In Simple Exam Reviewer Management System v1.0 the User List function has improper access control that allows low privileged users to modify user permissions to higher privileges.",
"id": "GHSA-44g9-qrmg-2wvf",
"modified": "2022-10-21T19:01:10Z",
"published": "2022-10-20T19:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42197"
},
{
"type": "WEB",
"url": "https://github.com/ciph0x01/Simple-Exam-Reviewer-Management-System-CVE/blob/main/CVE-2022-42197.md"
},
{
"type": "WEB",
"url": "https://www.sourcecodester.com/php/15160/simple-exam-reviewer-management-system-phpoop-free-source-code.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45M2-RWC3-RQ9V
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2022-05-13 01:08Eloan V3.0 through 2018-09-20 allows remote attackers to list files via a direct request to the p2p/api/ or p2p/lib/ or p2p/images/ URI.
{
"affected": [],
"aliases": [
"CVE-2019-9552"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-04T04:29:00Z",
"severity": "CRITICAL"
},
"details": "Eloan V3.0 through 2018-09-20 allows remote attackers to list files via a direct request to the p2p/api/ or p2p/lib/ or p2p/images/ URI.",
"id": "GHSA-45m2-rwc3-rq9v",
"modified": "2022-05-13T01:08:19Z",
"published": "2022-05-13T01:08:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9552"
},
{
"type": "WEB",
"url": "https://github.com/lmy1342554547/p2pProject/issues/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46XH-7854-F568
Vulnerability from github – Published: 2026-05-21 21:30 – Updated: 2026-06-24 20:57Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "concrete5/concrete5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-8205"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T18:17:35Z",
"nvd_published_at": "2026-05-21T21:16:33Z",
"severity": "MODERATE"
},
"details": "Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar\u00a0which results in restricted event details being disclosed.",
"id": "GHSA-46xh-7854-f568",
"modified": "2026-06-24T20:57:01Z",
"published": "2026-05-21T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8205"
},
{
"type": "WEB",
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
},
{
"type": "PACKAGE",
"url": "https://github.com/concretecms/concretecms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Concrete CMS is vulnerable to authorization bypass in the Calendar Block"
}
GHSA-48J5-GRH5-3F4F
Vulnerability from github – Published: 2023-03-29 15:30 – Updated: 2023-04-05 03:30Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. The root cause of this vulnerability is an insecurely configured servlet mapping for the underlying Apache Tomcat server. As a result, the downloads directory and its contents are accessible. 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C)
{
"affected": [],
"aliases": [
"CVE-2023-1663"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-29T14:15:00Z",
"severity": "MODERATE"
},
"details": "Coverity versions prior to 2023.3.2 are vulnerable to forced browsing, which exposes authenticated resources to unauthorized actors. The root cause of this vulnerability is an insecurely configured servlet mapping for the underlying Apache Tomcat server. As a result, the downloads directory and its contents are accessible. 5.9 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C)",
"id": "GHSA-48j5-grh5-3f4f",
"modified": "2023-04-05T03:30:17Z",
"published": "2023-03-29T15:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1663"
},
{
"type": "WEB",
"url": "https://community.synopsys.com/s/article/Mitigation-for-Coverity-Platforms-Exposure-to-CVE-2023-1663"
},
{
"type": "WEB",
"url": "https://community.synopsys.com/s/article/SIG-Product-Security-Advisory-CVE-2023-1663-Affecting-Coverity-Platform"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4G2V-6X25-VR7P
Vulnerability from github – Published: 2022-04-10 00:00 – Updated: 2022-04-16 00:01Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.
{
"affected": [],
"aliases": [
"CVE-2022-28365"
],
"database_specific": {
"cwe_ids": [
"CWE-425",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-09T17:15:00Z",
"severity": "MODERATE"
},
"details": "Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.",
"id": "GHSA-4g2v-6x25-vr7p",
"modified": "2022-04-16T00:01:22Z",
"published": "2022-04-10T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28365"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Apr/1"
},
{
"type": "WEB",
"url": "https://www.reprisesoftware.com/RELEASE_NOTES"
},
{
"type": "WEB",
"url": "https://www.reprisesoftware.com/products/software-license-management.php"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166647/Reprise-License-Manager-14.2-Cross-Site-Scripting-Information-Disclosure.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4PG2-JRCH-M6P4
Vulnerability from github – Published: 2024-03-05 12:30 – Updated: 2025-04-23 21:30A CWE-862 “Missing Authorization” vulnerability in the “file_configuration” functionality of the web application allows a remote unauthenticated attacker to access confidential configuration files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.
{
"affected": [],
"aliases": [
"CVE-2023-45596"
],
"database_specific": {
"cwe_ids": [
"CWE-425",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-05T12:15:46Z",
"severity": "MODERATE"
},
"details": "A CWE-862 \u201cMissing Authorization\u201d vulnerability in the \u201cfile_configuration\u201d functionality of the web application allows a remote unauthenticated attacker to access confidential configuration files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.",
"id": "GHSA-4pg2-jrch-m6p4",
"modified": "2025-04-23T21:30:31Z",
"published": "2024-03-05T12:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45596"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-45596"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-54R9-6X6G-2VFV
Vulnerability from github – Published: 2022-12-25 06:30 – Updated: 2023-01-06 21:30Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).
{
"affected": [],
"aliases": [
"CVE-2022-42953"
],
"database_specific": {
"cwe_ids": [
"CWE-425",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-25T05:15:00Z",
"severity": "HIGH"
},
"details": "Certain ZKTeco products (ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM) allow access to sensitive information via direct requests for the form/DataApp?style=1 and form/DataApp?style=0 URLs. The affected versions may be before 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210). The fixed versions are firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and firmware version 15.00 (ZMM200-220-210).",
"id": "GHSA-54r9-6x6g-2vfv",
"modified": "2023-01-06T21:30:41Z",
"published": "2022-12-25T06:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42953"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2022/Oct/23"
},
{
"type": "WEB",
"url": "https://www.redteam-pentesting.de/en/advisories/-advisories-publicised-vulnerability-analyses"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-55HG-77VH-978C
Vulnerability from github – Published: 2022-05-01 02:03 – Updated: 2022-05-01 02:03FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message.
{
"affected": [],
"aliases": [
"CVE-2005-1892"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2005-06-09T04:00:00Z",
"severity": "MODERATE"
},
"details": "FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message.",
"id": "GHSA-55hg-77vh-978c",
"modified": "2022-05-01T02:03:09Z",
"published": "2022-05-01T02:03:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1892"
},
{
"type": "WEB",
"url": "http://flatnuke.sourceforge.net/index.php?mod=read\u0026id=1117979256"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/15603"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1014114"
},
{
"type": "WEB",
"url": "http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2005/0697"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-56FM-6JMC-6MVP
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.
{
"affected": [],
"aliases": [
"CVE-2020-7541"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T01:15:00Z",
"severity": "MODERATE"
},
"details": "A CWE-425: Direct Request (\u0027Forced Browsing\u0027) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP.",
"id": "GHSA-56fm-6jmc-6mvp",
"modified": "2022-05-24T17:36:07Z",
"published": "2022-05-24T17:36:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7541"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-343-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Mitigation
Consider using MVC based frameworks such as Struts.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-143: Detect Unpublicized Web Pages
An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.
CAPEC-144: Detect Unpublicized Web Services
An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
CAPEC-87: Forceful Browsing
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.