Vulnerabilities > Direct Request ('Forced Browsing')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-01-11 | CVE-2019-6126 | Forced Browsing vulnerability in Advance Peer to Peer MLM Script Project Advance Peer to Peer MLM Script 1.7.0 The Admin Panel of PHP Scripts Mall Advance Peer to Peer MLM Script v1.7.0 allows remote attackers to bypass intended access restrictions by directly navigating to admin/dashboard.php or admin/user.php, as demonstrated by disclosure of information about users and staff. | 7.5 |
| 2018-12-20 | CVE-2018-6669 | Forced Browsing vulnerability in Mcafee Application Change Control 6.2.0/7.0.0/7.0.1 A whitelist bypass vulnerability in McAfee Application Control / Change Control 7.0.1 and before allows a remote or local user to execute blacklisted files through an ASP.NET form. | 8.0 |
| 2018-12-13 | CVE-2018-18922 | Forced Browsing vulnerability in Abisoftgt Ticketly 1.0 add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request. | 9.8 |
| 2018-11-28 | CVE-2018-19620 | Forced Browsing vulnerability in Showdoc 2.4.1 ShowDoc 2.4.1 allows remote attackers to edit other users' notes by navigating with a modified page_id. | 4.3 |
| 2018-11-12 | CVE-2018-19207 | Forced Browsing vulnerability in Van-Ons Wp-Gdpr-Compliance The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018. | 9.8 |
| 2018-11-11 | CVE-2018-19143 | Forced Browsing vulnerability in multiple products Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5.0.31, and 6.0.x before 6.0.13 allows an authenticated user to delete files via a modified submission form because upload caching is mishandled. | 6.5 |
| 2018-11-08 | CVE-2018-19109 | Forced Browsing vulnerability in Tianti Project Tianti 2.3 tianti 2.3 allows remote authenticated users to bypass intended permission restrictions by visiting tianti-module-admin/cms/column/list directly to read the column list page or edit a column. | 8.8 |
| 2018-09-14 | CVE-2018-16706 | Forced Browsing vulnerability in LG Supersign CMS LG SuperSign CMS allows TVs to be rebooted remotely without authentication via a direct HTTP request to /qsr_server/device/reboot on port 9080. | 7.5 |
| 2018-05-24 | CVE-2018-7526 | Forced Browsing vulnerability in Beaconmedaes Scroll Medical AIR Systems Firmware In TotalAlert Web Application in BeaconMedaes Scroll Medical Air Systems prior to v4107600010.23, by accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access information in the application without authenticating. | 7.5 |
| 2018-05-22 | CVE-2018-11346 | Forced Browsing vulnerability in Asustor As6202T Firmware Adm3.1.0.Rfq3 An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "download_sys_settings" action and then specify files arbitrarily throughout the system via the act parameter. | 4.3 |