Vulnerabilities > Direct Request ('Forced Browsing')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-12 | CVE-2021-24215 | Forced Browsing vulnerability in Wpruby Controlled Admin Access An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. | 9.8 |
| 2021-04-06 | CVE-2021-30144 | Forced Browsing vulnerability in Glpi-Project Dashboard The Dashboard plugin through 1.0.2 for GLPI allows remote low-privileged users to bypass access control on viewing information about the last ten events, the connected users, and the users in the tech category. | 4.3 |
| 2021-03-26 | CVE-2021-22180 | Forced Browsing vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions starting from 13.4. | 4.0 |
| 2021-02-16 | CVE-2020-35570 | Forced Browsing vulnerability in multiple products An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual through 2.11.2. | 5.3 |
| 2021-01-01 | CVE-2020-35391 | Forced Browsing vulnerability in Tenda F3 Firmware 12.01.01.48 Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. | 6.5 |
| 2020-12-11 | CVE-2020-7541 | Forced Browsing vulnerability in Schneider-Electric products A CWE-425: Direct Request ('Forced Browsing') vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of sensitive data when sending a specially crafted request to the controller over HTTP. | 5.3 |
| 2020-09-14 | CVE-2020-24660 | Forced Browsing vulnerability in multiple products An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used. | 7.5 |
| 2020-08-27 | CVE-2020-24203 | Forced Browsing vulnerability in Projectworlds Travel Management System 1.0 Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution. | 7.5 |
| 2020-05-13 | CVE-2019-2388 | Forced Browsing vulnerability in Mongodb OPS Manager 4.0.10/4.0.9/4.1.5 In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. | 5.3 |
| 2020-03-11 | CVE-2016-1000111 | Forced Browsing vulnerability in Twistedmatrix Twisted Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | 5.0 |