VYPR

CWE-602

Client-Side Enforcement of Server-Side Security

ClassDraftLikelihood: Medium

Description

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-162 · CAPEC-202 · CAPEC-207 · CAPEC-208 · CAPEC-21 · CAPEC-31 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388

CVEs mapped to this weakness (56)

page 1 of 3
  • CVE-2026-42160CriMay 8, 2026
    risk 0.65cvss epss 0.00

    Data Space Portal is an open-source Software as a Service (SaaS) solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization…

  • CVE-2025-10640CriOct 21, 2025
    risk 0.64cvss 9.8epss 0.01

    An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore…

  • CVE-2025-33025CriMay 13, 2025
    risk 0.64cvss 9.9epss 0.01

    A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…

  • CVE-2025-33024CriMay 13, 2025
    risk 0.64cvss 9.9epss 0.01

    A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…

  • CVE-2025-32469CriMay 13, 2025
    risk 0.64cvss 9.9epss 0.01

    A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…

  • CVE-2024-12603CriDec 13, 2024
    risk 0.64cvss 9.8epss 0.01

    A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.

  • CVE-2025-61197HigOct 6, 2025
    risk 0.58cvss 8.9epss 0.00

    An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to escalate privileges via the application stores user privilege/role information in client-side browser storage

  • CVE-2026-11092HigJun 4, 2026
    risk 0.57cvss 8.8epss 0.00

    Insufficient policy enforcement in DevTools in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to perform privilege escalation via a crafted Chrome Extension. (Chromium security severity: Medium)

  • CVE-2025-9495HigSep 23, 2025
    risk 0.57cvss epss 0.00

    The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI…

  • CVE-2025-53969HigSep 18, 2025
    risk 0.57cvss 8.8epss 0.00

    Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying …

  • CVE-2026-11236HigJun 4, 2026
    risk 0.54cvss 8.3epss 0.00

    Insufficient policy enforcement in Web Bluetooth in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-11011HigJun 4, 2026
    risk 0.53cvss 8.1epss 0.00

    Insufficient policy enforcement in Password Manager in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2025-42601HigApr 23, 2025
    risk 0.53cvss epss 0.00

    This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha…

  • CVE-2025-25497HigMar 6, 2025
    risk 0.53cvss 8.1epss 0.00

    An issue in account management interface in Netsweeper Server v.8.2.6 and earlier (fixed in v.8.2.7) allows unauthorized changes to the "Account Owner" field due to client-side-only restrictions and a lack of server-side validation. This vulnerability enables account ownership…

  • CVE-2026-42266HigMay 13, 2026
    risk 0.50cvss 8.8epss 0.01

    JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager (allowed_extensions_uris) is not correctly enforced…

  • CVE-2025-40591HigJun 10, 2025
    risk 0.50cvss 7.7epss 0.01

    A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.16.5), RUGGEDCOM ROX MX5000RE (All versions < V2.16.5), RUGGEDCOM ROX RX1400 (All versions < V2.16.5), RUGGEDCOM ROX RX1500 (All versions < V2.16.5), RUGGEDCOM ROX RX1501 (All versions < V2.16.5),…

  • CVE-2025-7820HigNov 27, 2025
    risk 0.49cvss 7.5epss 0.00

    The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for…

  • CVE-2025-12115HigOct 31, 2025
    risk 0.49cvss 7.5epss 0.00

    The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a…

  • CVE-2025-6025HigAug 15, 2025
    risk 0.49cvss 7.5epss 0.00

    The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated…

  • CVE-2025-10161HigNov 11, 2025
    risk 0.47cvss 7.3epss 0.00

    Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass,…