Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-425 (直接请求(强制性浏览)) — Vulnerability Class 76

76 vulnerabilities classified as CWE-425 (直接请求(强制性浏览)). AI Chinese analysis included.

CWE-425, Direct Request or 'Forced Browsing,' is a critical access control weakness where applications fail to enforce proper authorization on restricted resources. Attackers typically exploit this vulnerability by manually guessing or enumerating valid Uniform Resource Locators (URLs) to access sensitive files, scripts, or administrative interfaces that should remain hidden from unauthorized users. This often occurs when developers rely solely on client-side restrictions or assume that obscure file paths provide sufficient security. To prevent forced browsing, developers must implement robust server-side access controls that validate user permissions for every request, regardless of the resource’s visibility or naming convention. Additionally, employing comprehensive logging and monitoring helps detect enumeration attempts, while strict adherence to the principle of least privilege ensures that users only access data necessary for their specific roles, effectively neutralizing the threat of unauthorized direct requests.

MITRE CWE Description
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Common Consequences (1)
Confidentiality, Integrity, Availability, Access ControlRead Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity
Mitigations (2)
Architecture and Design, OperationApply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
Architecture and DesignConsider using MVC based frameworks such as Struts.
Examples (1)
If forced browsing is possible, an attacker may be able to directly access a sensitive page by entering a URL similar to the following.
http://somesite.com/someapplication/admin.jsp
Attack · JSP
CVE IDTitleCVSSSeverityPublished
CVE-2023-1699 Rapid7 Nexpose Forced Browsing — Nexpose 4.3 Medium2023-03-30
CVE-2023-1663 Authenticated Resources Accessible via Forced Browsing — Coverity 6.5 Medium2023-03-29
CVE-2023-1682 Xunrui CMS Install.txt direct request — CMS 4.3 Medium2023-03-28
CVE-2022-2551 Duplicator < 1.4.7 - Unauthenticated Backup Download — Duplicator – WordPress Migration Plugin 7.5 -2022-08-22
CVE-2022-2544 Ninja Job Board < 1.3.3 - Resume Disclosure via Directory Listing — Ninja Job Board – Ultimate WordPress Job Board Plugin 7.5 -2022-08-22
CVE-2022-2192 HYPR Server 安全漏洞 — HYPR Server 7.5 High2022-07-19
CVE-2022-29238 Forced Browsing in Jupyter Notebook — notebook 4.3 Medium2022-06-14
CVE-2022-31485 Unauthenticated homepage note modification — LNL-X2210 5.3 Medium2022-06-06
CVE-2022-31484 User Account Deletion Unauthenticated — LNL-X2210 7.5 High2022-06-06
CVE-2022-31480 Unauthenticated Firmware Upload and Arbitrary Reboot — LNL-X2210 7.5 High2022-06-06
CVE-2021-34588 Bender Charge Controller: Unprotected data export — CC612 8.6 High2022-04-27
CVE-2022-24385 Information disclosure via direct object access on SmarterTrack v100.0.8019.14010 — SmarterTrack 6.5 Medium2022-03-14
CVE-2021-24695 Simple Download Monitor < 3.9.6 - Unauthenticated Log Access — Simple Download Monitor 5.3 -2021-11-08
CVE-2020-7541 多款 Schneider Electric 产品信息泄露漏洞 — Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions) 5.3 -2020-12-11
CVE-2019-2388 Potential exposure of log information in Ops Manager — MongoDB Ops Manager 5.8 Medium2020-05-13
CVE-2018-3774 url-parse 安全漏洞 — url-parse 9.1 -2018-08-12

Vulnerabilities classified as CWE-425 (直接请求(强制性浏览)) represent 76 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.