CWE-425
AllowedDirect Request ('Forced Browsing')
Abstraction: Base · Status: Incomplete
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
269 vulnerabilities reference this CWE, most recent first.
GHSA-CG66-GRW3-W6J2
Vulnerability from github – Published: 2022-04-29 03:01 – Updated: 2025-01-16 21:30phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request.
{
"affected": [],
"aliases": [
"CVE-2004-2257"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "phpMyFAQ 1.4.0 allows remote attackers to access the Image Manager to upload or delete images without authorization via a direct request.",
"id": "GHSA-cg66-grw3-w6j2",
"modified": "2025-01-16T21:30:53Z",
"published": "2022-04-29T03:01:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-2257"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/16814"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/12085"
},
{
"type": "WEB",
"url": "http://securitytracker.com/id?1010795"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/8240"
},
{
"type": "WEB",
"url": "http://www.phpmyfaq.de/advisory_2004-07-27.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/10813"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQ6F-PHQ5-PC66
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:03Missing Access Control in the "Free Time" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.
{
"affected": [],
"aliases": [
"CVE-2019-12583"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-27T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Missing Access Control in the \"Free Time\" component of several Zyxel UAG, USG, and ZyWall devices allows a remote attacker to generate guest accounts by directly accessing the account generator. This can lead to unauthorised network access or Denial of Service.",
"id": "GHSA-cq6f-phq5-pc66",
"modified": "2024-04-04T01:03:18Z",
"published": "2022-05-24T16:48:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12583"
},
{
"type": "WEB",
"url": "https://n-thumann.de/blog/zyxel-gateways-missing-access-control-in-account-generator-xss"
},
{
"type": "WEB",
"url": "https://www.zyxel.com/support/vulnerabilities-related-to-the-Free-Time-feature.shtml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CRJM-JRHG-6RM3
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:19In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer.
{
"affected": [],
"aliases": [
"CVE-2019-13981"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-19T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer.",
"id": "GHSA-crjm-jrhg-6rm3",
"modified": "2024-04-04T01:19:18Z",
"published": "2022-05-24T16:50:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13981"
},
{
"type": "WEB",
"url": "https://github.com/directus/api/issues/986"
},
{
"type": "WEB",
"url": "https://github.com/directus/api/issues/987"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVGC-MX2W-H3W8
Vulnerability from github – Published: 2025-05-21 18:33 – Updated: 2025-05-21 20:09The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. This allows attackers to read arbitrary files.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sjbr/sr-feuser-register"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "12.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48205"
],
"database_specific": {
"cwe_ids": [
"CWE-425",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-21T20:09:49Z",
"nvd_published_at": "2025-05-21T16:15:32Z",
"severity": "HIGH"
},
"details": "The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. This allows attackers to read arbitrary files.",
"id": "GHSA-cvgc-mx2w-h3w8",
"modified": "2025-05-21T20:09:49Z",
"published": "2025-05-21T18:33:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48205"
},
{
"type": "PACKAGE",
"url": "https://codeberg.org/sjbr/sr-feuser-register"
},
{
"type": "WEB",
"url": "https://codeberg.org/sjbr/sr-feuser-register/commit/be44f61a475371c36b2035cbb523b56f5e34267d"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-ext-sa-2025-008"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "The Front End User Registration extension for TYPO3 (sr_feuser_register) allows Insecure Direct Object Reference"
}
GHSA-F4GF-WV2J-P66R
Vulnerability from github – Published: 2022-06-07 00:00 – Updated: 2022-06-18 00:00An unauthenticated attacker can send a specially crafted packets to update the “notes” section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29.
{
"affected": [],
"aliases": [
"CVE-2022-31485"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-06T17:15:00Z",
"severity": "MODERATE"
},
"details": "An unauthenticated attacker can send a specially crafted packets to update the \u201cnotes\u201d section of the home page of the web interface. This vulnerability impacts products based on HID Mercury Intelligent Controllers LP1501, LP1502, LP2500, LP4502, and EP4502 which contain firmware versions prior to 1.29.",
"id": "GHSA-f4gf-wv2j-p66r",
"modified": "2022-06-18T00:00:26Z",
"published": "2022-06-07T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31485"
},
{
"type": "WEB",
"url": "https://www.corporate.carrier.com/product-security/advisories-resources"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8XF-39W2-MRC6
Vulnerability from github – Published: 2024-01-22 18:31 – Updated: 2024-01-22 18:31Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
{
"affected": [],
"aliases": [
"CVE-2024-0204"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-22T18:15:20Z",
"severity": "CRITICAL"
},
"details": "Authentication bypass in Fortra\u0027s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.",
"id": "GHSA-f8xf-39w2-mrc6",
"modified": "2024-01-22T18:31:17Z",
"published": "2024-01-22T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0204"
},
{
"type": "WEB",
"url": "https://my.goanywhere.com/webclient/ViewSecurityAdvisories.xhtml"
},
{
"type": "WEB",
"url": "https://www.fortra.com/security/advisory/fi-2024-001"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176683/GoAnywhere-MFT-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176974/Fortra-GoAnywhere-MFT-Unauthenticated-Remote-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F9CP-Q3Q5-MXV9
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1.7.0 allows remote attackers to bypass intended access restrictions by directly navigating to admin/dashboard.php or admin/user.php, as demonstrated by disclosure of information about users and staff.
{
"affected": [],
"aliases": [
"CVE-2019-6126"
],
"database_specific": {
"cwe_ids": [
"CWE-425"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-11T05:29:00Z",
"severity": "HIGH"
},
"details": "The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1.7.0 allows remote attackers to bypass intended access restrictions by directly navigating to admin/dashboard.php or admin/user.php, as demonstrated by disclosure of information about users and staff.",
"id": "GHSA-f9cp-q3q5-mxv9",
"modified": "2022-05-13T01:22:36Z",
"published": "2022-05-13T01:22:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6126"
},
{
"type": "WEB",
"url": "https://github.com/Mad-robot/CVE-List/blob/master/Advance%20Peer%20to%20Peer%20MLM%20Script.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FC75-58R8-RM3H
Vulnerability from github – Published: 2023-10-19 15:50 – Updated: 2023-10-19 15:50Impact
A user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Patches
Patched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.
Workarounds
None.
Acknowledgements
Many thanks to @quyenheu for reporting this issue.
For more information
If you have any questions or comments about this advisory:
- Visit Wagtail's support channels
- Email us at security@wagtail.org (view our security policy for more information).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0"
},
{
"fixed": "5.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "wagtail"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-45809"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-425",
"CWE-532"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-19T15:50:58Z",
"nvd_published_at": "2023-10-19T19:15:15Z",
"severity": "LOW"
},
"details": "### Impact\n\nA user with a limited-permission editor account for the Wagtail admin can make a direct URL request to the admin view that handles bulk actions on user accounts. While authentication rules prevent the user from making any changes, the error message discloses the display names of user accounts, and by modifying URL parameters, the user can retrieve the display name for any user. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.\n\n### Patches\nPatched versions have been released as Wagtail 4.1.9 (LTS), 5.0.5 and 5.1.3. The fix is also included in Release Candidate 1 of the forthcoming Wagtail 5.2 release.\n\n### Workarounds\nNone.\n\n### Acknowledgements\nMany thanks to @quyenheu for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Visit Wagtail\u0027s [support channels](https://docs.wagtail.io/en/stable/support.html)\n* Email us at [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).",
"id": "GHSA-fc75-58r8-rm3h",
"modified": "2023-10-19T15:50:58Z",
"published": "2023-10-19T15:50:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-fc75-58r8-rm3h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45809"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/0bacd29473107d9d7f5b723a15a683449679756d"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/2231f462c75dfe84307fb40577e8c2109a23b27e"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/commit/bc96aed6ac53f998b2f4c4bf97e2d4f5fe337e5b"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/wagtail/PYSEC-2023-219.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/wagtail/wagtail"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v4.1.9"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v5.0.5"
},
{
"type": "WEB",
"url": "https://github.com/wagtail/wagtail/releases/tag/v5.1.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Wagtail vulnerable to disclosure of user names via admin bulk action views"
}
GHSA-FCP5-57P2-VF46
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2022-04-20 00:00A vulnerability has been identified in SICAM A8000 CP-8031 (All versions < V4.80), SICAM A8000 CP-8050 (All versions < V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenticated attackers to download these files.
{
"affected": [],
"aliases": [
"CVE-2022-27480"
],
"database_specific": {
"cwe_ids": [
"CWE-425",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T09:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in SICAM A8000 CP-8031 (All versions \u003c V4.80), SICAM A8000 CP-8050 (All versions \u003c V4.80). Affected devices do not require an user to be authenticated to access certain files. This could allow unauthenticated attackers to download these files.",
"id": "GHSA-fcp5-57p2-vf46",
"modified": "2022-04-20T00:00:50Z",
"published": "2022-04-13T00:00:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27480"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-316850.pdf"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/166743/Siemens-A8000-CP-8050-CP-8031-SICAM-WEB-Missing-File-Download-Missing-Authentication.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Apr/20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FF7X-QRG7-QGGM
Vulnerability from github – Published: 2020-07-29 20:56 – Updated: 2022-08-11 14:58Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dot-prop"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "dot-prop"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-8116"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-425",
"CWE-471"
],
"github_reviewed": true,
"github_reviewed_at": "2020-07-29T20:51:37Z",
"nvd_published_at": "2020-02-04T20:15:00Z",
"severity": "HIGH"
},
"details": "Prototype pollution vulnerability in dot-prop npm package versions before 4.2.1 and versions 5.x before 5.1.1 allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.",
"id": "GHSA-ff7x-qrg7-qggm",
"modified": "2022-08-11T14:58:19Z",
"published": "2020-07-29T20:56:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/issues/63"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/719856"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm"
},
{
"type": "PACKAGE",
"url": "https://github.com/sindresorhus/dot-prop"
},
{
"type": "WEB",
"url": "https://github.com/sindresorhus/dot-prop/tree/v4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "dot-prop Prototype Pollution vulnerability"
}
Mitigation
Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Mitigation
Consider using MVC based frameworks such as Struts.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-143: Detect Unpublicized Web Pages
An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.
CAPEC-144: Detect Unpublicized Web Services
An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
CAPEC-87: Forceful Browsing
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.