BaseIncomplete

CWE-425Direct Request ('Forced Browsing')

Category: other

Description

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

Common consequences· 1

  • Confidentiality / Integrity / Availability / Access Control — Read Application Data, Modify Application Data, Execute Unauthorized Code or Commands, Gain Privileges or Assume Identity

Potential mitigations· 2

  • [Architecture and Design, Operation]Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.
  • [Architecture and Design]Consider using MVC based frameworks such as Struts.

Related CAPEC attack patterns· 5

CAPEC-127CAPEC-143CAPEC-144CAPEC-668CAPEC-87

References

  1. https://cwe.mitre.org/data/definitions/425.html

Exploits (incoming)5

TypeTargetConfidenceTier
AttackPatternDetect Unpublicized Web Pagescapec-143100%live
AttackPatternKey Negotiation of Bluetooth Attack (KNOB)capec-668100%live
AttackPatternDirectory Indexingcapec-127100%live
AttackPatternDetect Unpublicized Web Servicescapec-144100%live
AttackPatternForceful Browsingcapec-87100%live

(incoming)12

TypeTargetConfidenceTier
VulnerabilityCVE-2025-26689cve-2025-266890%live
VulnerabilityCVE-2025-32367cve-2025-323670%live
VulnerabilityCVE-2025-46690cve-2025-466900%live
VulnerabilityCVE-2025-48201cve-2025-482010%live
VulnerabilityCVE-2025-48205cve-2025-482050%live
VulnerabilityCVE-2025-48207cve-2025-482070%live
VulnerabilityCVE-2025-52024cve-2025-520240%live
VulnerabilityCVE-2025-6352cve-2025-63520%live
VulnerabilityCVE-2026-22732cve-2026-227320%live
VulnerabilityCVE-2026-32867cve-2026-328670%live
KEVEntryAtlassian Confluence Server Pre-Authorization Arbitrary File Read Vulnerabilitykev-cve-2021-260850%live
KEVEntryApache OFBiz Forced Browsing Vulnerabilitykev-cve-2024-451950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Cross-Site Request Forgery (CSRF)
CWE
Unprotected Transport of Credentials
CWE
Improper Access Control
CWE
Use of HTTP Request With Sensitive Query String
CWE
Improper Authorization
CWE
URL Redirection to Untrusted Site ('Open Redirect')
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.