CWE-425 233 個 CVE MITRE 定義 ↗

CWE-425:Direct Request ('Forced Browsing')

概覽

CWE-425(Direct Request ('Forced Browsing'))描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
technology Web Based Undetermined
technology Web Server Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-13533 2026-06-29 A security vulnerability has been detected in agentejo Cockpit CMS up to 0.12.2. Affected by this issue is the function Spyc::YAMLLoad of the file /config/config.yaml of the component htaccess Handler…
CVE-2026-10521 2026-06-23 An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confid…
CVE-2026-9610 2026-06-22 IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 exposes resources or functionality that isn't linked in the UI but is accessible by directly requesting the URL, b…
CVE-2026-34028 2026-06-15 The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly acc…
CVE-2026-11986 2026-06-11 A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to per…
CVE-2026-8205 2026-05-21 Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being …
CVE-2026-42297 2026-05-09 Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provide…
CVE-2026-7500 2026-04-30 When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully funct…
CVE-2024-58343 2026-04-16 Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.
CVE-2026-35029 2026-04-06 LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already auth…
CVE-2026-29909 2026-03-30 MRCMS V3.1.2 contains an unauthenticated directory enumeration vulnerability in the file management module. The /admin/file/list.do endpoint lacks authentication controls and proper input validation, …
CVE-2025-15381 2026-03-27 In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including…
CVE-2026-4900 2026-03-26 A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessibl…
CVE-2026-34056 2026-03-25 OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low…
CVE-2026-34051 2026-03-25 OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, a…
CVE-2026-33217 2026-03-25 NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, when using ACLs on message subjects, these ACLs were not applied i…
CVE-2026-4532 2026-03-21 A security vulnerability has been detected in code-projects Simple Food Ordering System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /food/sql/food.sql of the comp…
CVE-2026-22732 2026-03-19 When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security …
CVE-2026-32867 2026-03-19 OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would…
CVE-2025-15587 2026-03-16 Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's password by directly accessing a specific resource inaccessible via a …

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Sean Eidemiller 1.0 added/updated demonstrative examples
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations, Time_of_Introduction
2008-08-15 1.0 Suggested OWASP Top Ten 2004 mapping
2008-09-08 CWE Content Team 1.0 updated Alternate_Terms, Relationships, Relationship_Notes, Taxonomy_Mappings, Theoretical_Notes
2008-10-14 CWE Content Team 1.0.1 updated Description
2010-02-16 CWE Content Team 1.8 updated Relationships, Taxonomy_Mappings
2011-03-29 CWE Content Team 1.12 updated Applicable_Platforms, Description, Relationships
2011-06-01 CWE Content Team 1.13 updated Common_Consequences, Relationships
2012-05-11 CWE Content Team 2.2 updated Related_Attack_Patterns, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, Relationships
2018-03-27 CWE Content Team 3.1 updated Relationships
2019-06-20 CWE Content Team 3.3 updated Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2021-07-20 CWE Content Team 4.5 updated Related_Attack_Patterns
2021-10-28 CWE Content Team 4.6 updated Relationships
2022-10-13 CWE Content Team 4.9 updated Relationships
2023-01-31 CWE Content Team 4.10 updated Observed_Examples, Related_Attack_Patterns
2023-04-27 CWE Content Team 4.11 updated Modes_of_Introduction, Relationships, Time_of_Introduction
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Relationships, Weakness_Ordinalities
2026-04-30 CWE Content Team 4.20 updated Description, Diagram, Modes_of_Introduction, Observed_Examples
cvelogic Threat Intelligence