VYPR

CWE-602

Client-Side Enforcement of Server-Side Security

ClassDraftLikelihood: Medium

Description

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-162 · CAPEC-202 · CAPEC-207 · CAPEC-208 · CAPEC-21 · CAPEC-31 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388

CVEs mapped to this weakness (56)

page 2 of 3
  • CVE-2025-6249MedJul 17, 2025
    risk 0.44cvss 6.7epss 0.00

    An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data.

  • CVE-2026-11287MedJun 5, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)

  • CVE-2026-11025MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11018MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-11014MedJun 4, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: Medium)

  • CVE-2026-5901MedApr 8, 2026
    risk 0.42cvss 6.5epss 0.00

    Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security…

  • CVE-2026-30522MedApr 1, 2026
    risk 0.42cvss 6.5epss 0.00

    A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users…

  • CVE-2026-30521MedMar 31, 2026
    risk 0.42cvss 6.5epss 0.00

    A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering…

  • CVE-2026-11184MedJun 4, 2026
    risk 0.41cvss 6.3epss 0.00

    Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)

  • CVE-2026-44567HigMay 15, 2026
    risk 0.40cvss 7.3epss 0.00

    Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the…

  • CVE-2025-41402MedOct 23, 2025
    risk 0.36cvss 5.5epss 0.00

    Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. This issue affects Command Centre Server:  9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to…

  • CVE-2017-14013MedOct 17, 2017
    risk 0.36cvss 5.6epss 0.01

    A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms,…

  • CVE-2023-0581MedJan 30, 2023
    risk 0.35cvss 5.3epss 0.01

    The PrivateContent plugin for WordPress is vulnerable to protection mechanism bypass due to the use of client side validation in versions up to, and including, 8.4.3. This is due to the plugin checking if an IP had been blocklist via client-side scripts rather than server-side.…

  • CVE-2026-0808MedJan 17, 2026
    risk 0.34cvss 5.3epss 0.00

    The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for…

  • CVE-2025-43699MedJun 10, 2025
    risk 0.34cvss 5.3epss 0.00

    Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check.  This impacts OmniStudio: before Spring 2025

  • CVE-2024-32521MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Client-Side Enforcement of Server-Side Security vulnerability in Highfivery LLC Zero Spam allows Removing Important Client Functionality.This issue affects Zero Spam: from n/a through 5.5.6.

  • CVE-2024-32512MedMay 17, 2024
    risk 0.34cvss 5.3epss 0.00

    Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.

  • CVE-2024-0701MedFeb 5, 2024
    risk 0.34cvss 5.3epss 0.01

    The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. This makes it…

  • CVE-2026-42329MedJun 4, 2026
    risk 0.31cvss 4.7epss 0.00

    Iris is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 contain a weakness where an attacker can misuse it to redirect the user to a malicious website controlled by an attacker. Version 2.4.28…

  • CVE-2024-6831MedNov 26, 2024
    risk 0.29cvss 4.4epss 0.00

    Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highlighted flaw. Please refer to the Axis…