Vulnerabilities > Direct Request ('Forced Browsing')

DATE CVE VULNERABILITY TITLE RISK
2020-12-09 CVE-2020-29656 Forced Browsing vulnerability in Asus Rt-Ac88U Firmware 3.0.0.4.386.46061
An information disclosure vulnerability exists in RT-AC88U Download Master before 3.1.0.108.
network
low complexity
asus CWE-425
7.5
2020-12-03 CVE-2020-28937 Forced Browsing vulnerability in Openclinic Project Openclinic 0.8.2
OpenClinic version 0.8.2 is affected by a missing authentication vulnerability that allows unauthenticated users to access any patient's medical test results, possibly resulting in disclosure of Protected Health Information (PHI) stored in the application, via a direct request for the /tests/ URI.
network
low complexity
openclinic-project CWE-425
7.5
2020-10-20 CVE-2020-24765 Forced Browsing vulnerability in Mind Imind Server 3.13.65
InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request.
network
low complexity
mind CWE-425
7.5
2020-09-30 CVE-2020-26150 Forced Browsing vulnerability in Logaritmo Aware Callmanager 2012
info.php in Logaritmo Aware CallManager 2012 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function.
network
low complexity
logaritmo CWE-425
7.5
2020-09-14 CVE-2020-24660 Forced Browsing vulnerability in multiple products
An issue was discovered in LemonLDAP::NG through 2.0.8, when NGINX is used.
network
low complexity
lemonldap-ng debian CWE-425
critical
9.8
2020-08-27 CVE-2020-24203 Forced Browsing vulnerability in Projectworlds Travel Management System 1.0
Insecure File Permissions and Arbitrary File Upload in the upload pic function in updatesubcategory.php in Projects World Travel Management System v1.0 allows remote unauthenticated attackers to gain remote code execution.
network
low complexity
projectworlds CWE-425
critical
9.8
2020-06-11 CVE-2020-13850 Forced Browsing vulnerability in Pandorafms Pandora FMS 7.44
Artica Pandora FMS 7.44 has inadequate access controls on a web folder.
network
low complexity
pandorafms CWE-425
7.5
2020-05-13 CVE-2019-2388 Forced Browsing vulnerability in Mongodb OPS Manager 4.0.10/4.0.9/4.1.5
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance.
network
low complexity
mongodb CWE-425
5.3
2020-04-07 CVE-2020-11561 Forced Browsing vulnerability in Nchsoftware Express Invoice 7.25
In NCH Express Invoice 7.25, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as the "Add New Item" screen.
network
low complexity
nchsoftware CWE-425
8.8
2020-03-11 CVE-2016-1000111 Forced Browsing vulnerability in Twisted
Twisted before 16.3.1 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue.
network
low complexity
twisted CWE-425
5.3