CWE-425
Direct Request ('Forced Browsing')
BaseIncomplete
Description
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-127 · CAPEC-143 · CAPEC-144 · CAPEC-668 · CAPEC-87
CVEs mapped to this weakness (52)
page 1 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-14244 | Cri | 0.71 | 9.8 | 0.51 | Sep 17, 2017 | An authentication bypass vulnerability on iBall Baton ADSL2+ Home Router FW_iB-LR7011A_1.0.2 devices potentially allows attackers to directly access administrative router settings by crafting URLs with a .cgi extension, as demonstrated by /info.cgi and /password.cgi. | |
| CVE-2022-43110 | Cri | 0.64 | 9.8 | 0.00 | Aug 22, 2025 | Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | |
| CVE-2025-26689 | Cri | 0.64 | 9.8 | 0.02 | Mar 31, 2025 | Direct request ('Forced Browsing') issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If a remote attacker sends a specially crafted HTTP request to the product, the product data may be obtained or deleted, and/or the product settings may be altered. | |
| CVE-2002-1798 | Cri | 0.63 | 9.1 | 0.05 | Dec 31, 2002 | MidiCart PHP, PHP Plus, and PHP Maxi allows remote attackers to (1) upload arbitrary php files via a direct request to admin/upload.php or (2) access sensitive information via a direct request to admin/credit_card_info.php. | |
| CVE-2025-1542 | Cri | 0.60 | — | 0.00 | Mar 26, 2025 | Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0. | |
| CVE-2026-22732 | Cri | 0.59 | 9.1 | 0.00 | Mar 19, 2026 | When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.8, from 7.0.0 through 7.0.3. | |
| CVE-2017-10833 | Cri | 0.59 | 9.1 | 0.00 | Aug 29, 2017 | "Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows remote attackers to bypass access restriction to view information or modify configurations via unspecified vectors. | |
| CVE-2025-48205 | Hig | 0.56 | 8.6 | 0.00 | May 21, 2025 | The sr_feuser_register extension through 12.4.8 for TYPO3 allows Insecure Direct Object Reference. | |
| CVE-2025-32367 | Hig | 0.56 | 8.6 | 0.00 | Apr 11, 2025 | The Oz Forensics face recognition application before 4.0.8 late 2023 allows PII retrieval via /statistic/list Insecure Direct Object Reference. NOTE: the number 4.0.8 was used for both the unpatched and patched versions. | |
| CVE-2026-0650 | Cri | 0.53 | — | 0.00 | Jan 7, 2026 | OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data. | |
| CVE-2017-15235 | Hig | 0.53 | 7.5 | 0.13 | Oct 11, 2017 | The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allows remote attackers to bypass Horde authentication for file downloads via a crafted fn parameter that corresponds to the exact filename. | |
| CVE-2026-25679 | Hig | 0.49 | 7.5 | 0.00 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-48207 | Hig | 0.49 | 8.6 | 0.00 | May 21, 2025 | The reint_downloadmanager extension through 5.0.0 for TYPO3 allows Insecure Direct Object Reference. | |
| CVE-2025-48201 | Hig | 0.49 | 8.6 | 0.00 | May 21, 2025 | The ns_backup extension through 13.0.0 for TYPO3 has a Predictable Resource Location. | |
| CVE-2025-65011 | Hig | 0.46 | — | 0.00 | Dec 18, 2025 | In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly referencing the resource in question. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version WDR28081123OV1.01 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |
| CVE-2025-26381 | Med | 0.42 | — | 0.00 | Dec 17, 2025 | Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information. | |
| CVE-2025-52920 | Med | 0.42 | 6.4 | 0.00 | Jun 23, 2025 | Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID. | |
| CVE-2017-2486 | Med | 0.42 | 6.5 | 0.00 | Apr 2, 2017 | An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to spoof the address bar via a crafted web site. | |
| CVE-2025-59797 | Med | 0.38 | 5.8 | 0.00 | Sep 22, 2025 | Profession Fit 5.0.99 Build 44910 allows authorization bypass via a direct request for /api/challenges/{id} and also URLs for eversports, the user-management page, and the plane page. | |
| CVE-2024-6188 | Med | 0.37 | 5.3 | 0.32 | Jun 20, 2024 | A vulnerability was found in Parsec Automation TrackSYS 11.x.x and classified as problematic. This issue affects some unknown processing of the file /TS/export/pagedefinition. The manipulation of the argument ID leads to direct request. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-269159. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. |