CWE-425 (直接请求(强制性浏览)) — Vulnerability Class 76

76 vulnerabilities classified as CWE-425 (直接请求(强制性浏览)). AI Chinese analysis included.

CWE-425, Direct Request or 'Forced Browsing,' is a critical access control weakness where applications fail to enforce proper authorization on restricted resources. Attackers typically exploit this vulnerability by manually guessing or enumerating valid Uniform Resource Locators (URLs) to access sensitive files, scripts, or administrative interfaces that should remain hidden from unauthorized users. This often occurs when developers rely solely on client-side restrictions or assume that obscure file paths provide sufficient security. To prevent forced browsing, developers must implement robust server-side access controls that validate user permissions for every request, regardless of the resource’s visibility or naming convention. Additionally, employing comprehensive logging and monitoring helps detect enumeration attempts, while strict adherence to the principle of least privilege ensures that users only access data necessary for their specific roles, effectively neutralizing the threat of unauthorized direct requests.

MITRE CWE Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Common Consequences (1)

Confidentiality, Integrity, Availability, Access ControlRead Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Mitigations (2)

Architecture and Design, OperationApply appropriate access control authorizations for each access to all restricted URLs, scripts or files.

Architecture and DesignConsider using MVC based frameworks such as Struts.

Examples (1)

If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.

http://somesite.com/someapplication/admin.jsp

Attack · JSP

CVE ID	Title	CVSS	Severity	Published
CVE-2025-1542	Improper permission control in OXARI ServiceDesk — OXARI ServiceDesk	8.8^AI	High^AI	2025-03-26
CVE-2024-55075	Grocy 安全漏洞 — Grocy	4.3	Medium	2025-01-06
CVE-2024-11049	ZKTeco ZKBio Time Image File photo direct request — ZKBio Time	3.7	Low	2024-11-10
CVE-2024-45195	Apache OFBiz: Confused controller-view authorization logic (forced browsing) — Apache OFBiz	9.1^AI	Critical^AI	2024-09-04
CVE-2024-7753	SourceCodester Clinics Patient Management System user_images direct request — Clinics Patient Management System	5.3	Medium	2024-08-14
CVE-2024-42001	Vonets WiFi Bridges Forced Browsing — VAR1200-H	8.6	High	2024-08-08
CVE-2024-7153	Netgear WN604 siteSurvey.php direct request — WN604	5.3	Medium	2024-07-27
CVE-2024-7080	SourceCodester Insurance Management System direct request — Insurance Management System	5.3	Medium	2024-07-24
CVE-2024-39868	Siemens SINEMA Remote Connect Server 安全漏洞 — SINEMA Remote Connect Server	7.6	High	2024-07-09
CVE-2024-39867	Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Server	7.6	High	2024-07-09
CVE-2024-6414	Parsec Automation TrakSYS Export Page contentpage direct request — TrakSYS	5.3	Medium	2024-06-30
CVE-2024-6188	Parsec Automation TrackSYS pagedefinition direct request — TrackSYS	5.3	Medium	2024-06-20
CVE-2024-2730	Predictable Page Indexing Might Lead to Sensitive Data Exposure in Mautic — Mautic	5.3	Medium	2024-04-10
CVE-2023-45598	AiLux imx6 安全漏洞 — imx6 bundle	5.3	Medium	2024-03-05
CVE-2023-45596	AiLux imx6 安全漏洞 — imx6 bundle	5.3	Medium	2024-03-05
CVE-2024-0861	Direct Request ('Forced Browsing') in GitLab — GitLab	4.3	Medium	2024-02-21
CVE-2023-46186	IBM Jazz for Service Management information disclosure — Jazz for Service Management	5.3	Medium	2024-02-14
CVE-2024-24592	Allegro 授权问题漏洞 — ClearML	9.8	Critical	2024-02-06
CVE-2023-50935	IBM PowerSC forced browsing — PowerSC	6.5	Medium	2024-02-02
CVE-2024-0456	Direct Request ('Forced Browsing') in GitLab — GitLab	4.3	Medium	2024-01-26
CVE-2024-0204	Authentication Bypass in GoAnywhere MFT — GoAnywhere MFT	9.8	Critical	2024-01-22
CVE-2023-44320	Siemens SCALANCE 多款产品安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU	4.3	Medium	2023-11-14
CVE-2023-5786	GeoServer GeoWebCache rest.html direct request — GeoWebCache	5.3	Medium	2023-10-26
CVE-2023-5702	Viessmann Vitogate 300 direct request — Vitogate 300	4.3	Medium	2023-10-23
CVE-2023-4018	Direct Request ('Forced Browsing') in GitLab — GitLab	4.3	Medium	2023-09-01
CVE-2023-4544	Byzoro Smart S85F Management Platform php.ini direct request — Smart S85F Management Platform	4.3	Medium	2023-08-26
CVE-2023-3426	Liferay Portal和Liferay DXP 安全漏洞 — DXP	4.3	Medium	2023-08-02
CVE-2023-3792	Beijing Netcon NS-ASG test_status.php direct request — NS-ASG	4.3	Medium	2023-07-20
CVE-2023-22834	The contour service was not checking that users had permission to create an analysis for a given dataset — com.palantir.contour:contour-dispatch	2.7	Low	2023-06-26
CVE-2023-2524	Control iD RHiD direct request — RHiD	6.3	Medium	2023-05-04

Vulnerabilities classified as CWE-425 (直接请求(强制性浏览)) represent 76 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-425 (直接请求(强制性浏览)) — Vulnerability Class 76