CWE-425

Access-control setting in web-based document collaboration tool is not properly implemented by the code, which prevents listing hidden directories but does not prevent direct requests to files in those directories.

Bypass authentication via direct request.

Infinite loop or infoleak triggered by direct requests.

Bypass auth/auth via direct request.

Direct request leads to infoleak by error.

Direct request leads to infoleak by error.

Direct request leads to infoleak by error.

Authentication bypass via direct request.

Authentication bypass via direct request.

Authorization bypass using direct request.