CWE-602
Client-Side Enforcement of Server-Side Security
Description
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-162 · CAPEC-202 · CAPEC-207 · CAPEC-208 · CAPEC-21 · CAPEC-31 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388
CVEs mapped to this weakness (56)
page 1 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42160 | Cri | 0.65 | — | 0.00 | May 8, 2026 | Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization… | ||
| CVE-2025-10640 | Cri | 0.64 | 9.8 | 0.01 | Oct 21, 2025 | An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore… | ||
| CVE-2025-33025 | Cri | 0.64 | 9.9 | 0.01 | May 13, 2025 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),… | ||
| CVE-2025-33024 | Cri | 0.64 | 9.9 | 0.01 | May 13, 2025 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),… | ||
| CVE-2025-32469 | Cri | 0.64 | 9.9 | 0.01 | May 13, 2025 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),… | ||
| CVE-2024-12603 | Cri | 0.64 | 9.8 | 0.01 | Dec 13, 2024 | A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password. | ||
| CVE-2025-61197 | Hig | 0.58 | 8.9 | 0.00 | Oct 6, 2025 | An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to escalate privileges via the application stores user privilege/role information in client-side browser storage | ||
| CVE-2026-11092 | Hig | 0.57 | 8.8 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2025-9495 | — | Hig | 0.57 | — | 0.00 | Sep 23, 2025 | The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI… | |
| CVE-2025-53969 | Hig | 0.57 | 8.8 | 0.00 | Sep 18, 2025 | Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying … | ||
| CVE-2026-11236 | Hig | 0.54 | 8.3 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-11011 | Hig | 0.53 | 8.1 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2025-42601 | — | Hig | 0.53 | — | 0.00 | Apr 23, 2025 | This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha… | |
| CVE-2025-25497 | Hig | 0.53 | 8.1 | 0.00 | Mar 6, 2025 | An issue in account management interface in Netsweeper Server v.8.2.6 and earlier (fixed in v.8.2.7) allows unauthorized changes to the "Account Owner" field due to client-side-only restrictions and a lack of server-side validation. This vulnerability enables account ownership… | ||
| CVE-2026-42266 | Hig | 0.50 | 8.8 | 0.01 | May 13, 2026 | JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced… | ||
| CVE-2025-40591 | Hig | 0.50 | 7.7 | 0.01 | Jun 10, 2025 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),… | ||
| CVE-2025-7820 | Hig | 0.49 | 7.5 | 0.00 | Nov 27, 2025 | The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for… | ||
| CVE-2025-12115 | Hig | 0.49 | 7.5 | 0.00 | Oct 31, 2025 | The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a… | ||
| CVE-2025-6025 | — | Hig | 0.49 | 7.5 | 0.00 | Aug 15, 2025 | The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated… | |
| CVE-2025-10161 | Hig | 0.47 | 7.3 | 0.00 | Nov 11, 2025 | Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass,… |
- risk 0.65cvss —epss 0.00
Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization…
- risk 0.64cvss 9.8epss 0.01
An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore…
- risk 0.64cvss 9.9epss 0.01
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…
- risk 0.64cvss 9.9epss 0.01
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…
- risk 0.64cvss 9.9epss 0.01
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…
- risk 0.64cvss 9.8epss 0.01
A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.
- risk 0.58cvss 8.9epss 0.00
An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to escalate privileges via the application stores user privilege/role information in client-side browser storage
- risk 0.57cvss 8.8epss 0.00
Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.57cvss —epss 0.00
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI…
- risk 0.57cvss 8.8epss 0.00
Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying …
- risk 0.54cvss 8.3epss 0.00
Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
- risk 0.53cvss 8.1epss 0.00
Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.53cvss —epss 0.00
This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha…
- risk 0.53cvss 8.1epss 0.00
An issue in account management interface in Netsweeper Server v.8.2.6 and earlier (fixed in v.8.2.7) allows unauthorized changes to the "Account Owner" field due to client-side-only restrictions and a lack of server-side validation. This vulnerability enables account ownership…
- risk 0.50cvss 8.8epss 0.01
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced…
- risk 0.50cvss 7.7epss 0.01
A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…
- risk 0.49cvss 7.5epss 0.00
The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for…
- risk 0.49cvss 7.5epss 0.00
The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a…
- risk 0.49cvss 7.5epss 0.00
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated…
- risk 0.47cvss 7.3epss 0.00
Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass,…