Direct Request ('Forced Browsing')

CVE-2005-1654

High

7.5/10

Summary

Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.

Access Complexity: LOW
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: PARTIAL
Confidentiality Impact: PARTIAL
Availability Impact: PARTIAL

CWE-425 - Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References

Advisory Timeline

Published May 18, 2005

Direct Request ('Forced Browsing')

CVE-2005-1654

Summary

CWE-425 - Direct Request ('Forced Browsing')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS