CWE-425
Direct Request ('Forced Browsing')
Description
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-127 · CAPEC-143 · CAPEC-144 · CAPEC-668 · CAPEC-87
CVEs mapped to this weakness (77)
page 1 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17736 | Cri | 0.69 | 9.8 | 0.69 | Mar 23, 2018 | Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard. | ||
| CVE-2017-14244 | Cri | 0.68 | 9.8 | 0.17 | Sep 17, 2017 | An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi. | ||
| CVE-2022-43110 | Cri | 0.64 | 9.8 | 0.01 | Aug 22, 2025 | Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface… | ||
| CVE-2025-26689 | Cri | 0.64 | 9.8 | 0.01 | Mar 31, 2025 | Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered. | ||
| CVE-2018-6624 | Cri | 0.64 | 9.8 | 0.02 | Feb 5, 2018 | OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass authentication via a direct request to the .html file for a specific screen, as demonstrated by monitor.html. | ||
| CVE-2002-1798 | Cri | 0.63 | 9.1 | 0.05 | Dec 31, 2002 | MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php. | ||
| CVE-2025-1542 | Cri | 0.60 | — | 0.00 | Mar 26, 2025 | Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before… | ||
| CVE-2026-22732 | Cri | 0.59 | 9.1 | 0.00 | Mar 19, 2026 | When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from… | ||
| CVE-2017-10833 | Cri | 0.59 | 9.1 | 0.02 | Aug 29, 2017 | "Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows remote attackers to bypass access restriction to view information or modify configurations via unspecified vectors. | ||
| CVE-2018-3774 | — | Cri | 0.58 | 10.0 | 0.04 | Aug 12, 2018 | Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol. | |
| CVE-2025-15587 | Hig | 0.56 | — | 0.00 | Mar 16, 2026 | Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for… | ||
| CVE-2025-48205 | Hig | 0.56 | 8.6 | 0.00 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | ||
| CVE-2025-32367 | Hig | 0.56 | 8.6 | 0.00 | Apr 11, 2025 | The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. NOTE: the number 4.0.8 was used for both the unpatched and patched versions. | ||
| CVE-2026-0650 | Cri | 0.53 | — | 0.00 | Jan 7, 2026 | OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without… | ||
| CVE-2017-15235 | Hig | 0.52 | 7.5 | 0.06 | Oct 11, 2017 | The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename. | ||
| CVE-2018-16706 | Hig | 0.51 | 7.5 | 0.22 | Sep 14, 2018 | LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080. | ||
| CVE-2025-48207 | — | Hig | 0.49 | 8.6 | 0.00 | May 21, 2025 | The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. | |
| CVE-2025-48201 | Hig | 0.49 | 8.6 | 0.00 | May 21, 2025 | The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. | ||
| CVE-2018-7526 | Hig | 0.49 | 7.5 | 0.01 | May 24, 2018 | In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Systems prior to v4107600010.23, by accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access information in the application without authenticating. | ||
| CVE-2017-14993 | Hig | 0.49 | 7.5 | 0.01 | Feb 20, 2018 | OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition… |
- risk 0.69cvss 9.8epss 0.69
Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attackers to obtain Global Administrator access by visiting CMSInstall/install.aspx and then navigating to the CMS Administration Dashboard.
- risk 0.68cvss 9.8epss 0.17
An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi.
- risk 0.64cvss 9.8epss 0.01
Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface…
- risk 0.64cvss 9.8epss 0.01
Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered.
- risk 0.64cvss 9.8epss 0.02
OMRON NS devices 1.1 through 1.3 allow remote attackers to bypass authentication via a direct request to the .html file for a specific screen, as demonstrated by monitor.html.
- risk 0.63cvss 9.1epss 0.05
MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php.
- risk 0.60cvss —epss 0.00
Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before…
- risk 0.59cvss 9.1epss 0.00
When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from…
- risk 0.59cvss 9.1epss 0.02
"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows remote attackers to bypass access restriction to view information or modify configurations via unspecified vectors.
- risk 0.58cvss 10.0epss 0.04
Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.
- risk 0.56cvss —epss 0.00
Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a graphical interface. This issue has been fixed in firmware versions: 1.36 (for…
- risk 0.56cvss 8.6epss 0.00
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference.
- risk 0.56cvss 8.6epss 0.00
The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. NOTE: the number 4.0.8 was used for both the unpatched and patched versions.
- risk 0.53cvss —epss 0.00
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without…
- risk 0.52cvss 7.5epss 0.06
The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename.
- risk 0.51cvss 7.5epss 0.22
LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080.
- risk 0.49cvss 8.6epss 0.00
The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference.
- risk 0.49cvss 8.6epss 0.00
The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location.
- risk 0.49cvss 7.5epss 0.01
In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Systems prior to v4107600010.23, by accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access information in the application without authenticating.
- risk 0.49cvss 7.5epss 0.01
OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x before 4.10.6 (maintenance), and 4.9.x before 4.9.11 (legacy), Enterprise Edition before 6.0.0 RC3 (development), 5.2.x before 5.2.11 (legacy), and 5.3.x before 5.3.6 (maintenance), and Professional Edition…