CWE-602
Client-Side Enforcement of Server-Side Security
Description
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-162 · CAPEC-202 · CAPEC-207 · CAPEC-208 · CAPEC-21 · CAPEC-31 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388
CVEs mapped to this weakness (56)
page 2 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-6249 | Med | 0.44 | 6.7 | 0.00 | Jul 17, 2025 | An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data. | ||
| CVE-2026-11287 | Med | 0.42 | 6.5 | 0.00 | Jun 5, 2026 | Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low) | ||
| CVE-2026-11025 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11018 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-11014 | Med | 0.42 | 6.5 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2026-5901 | Med | 0.42 | 6.5 | 0.00 | Apr 8, 2026 | Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security… | ||
| CVE-2026-30522 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2026 | A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users… | ||
| CVE-2026-30521 | Med | 0.42 | 6.5 | 0.00 | Mar 31, 2026 | A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering… | ||
| CVE-2026-11184 | Med | 0.41 | 6.3 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | ||
| CVE-2026-44567 | Hig | 0.40 | 7.3 | 0.00 | May 15, 2026 | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the… | ||
| CVE-2025-41402 | Med | 0.36 | 5.5 | 0.00 | Oct 23, 2025 | Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to… | ||
| CVE-2017-14013 | Med | 0.36 | 5.6 | 0.01 | Oct 17, 2017 | A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms,… | ||
| CVE-2023-0581 | Med | 0.35 | 5.3 | 0.01 | Jan 30, 2023 | The PrivateContent plugin for WordPress is vulnerable to protection mechanism bypass due to the use of client side validation in versions up to, and including, 8.4.3. This is due to the plugin checking if an IP had been blocklist via client-side scripts rather than server-side.… | ||
| CVE-2026-0808 | Med | 0.34 | 5.3 | 0.00 | Jan 17, 2026 | The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for… | ||
| CVE-2025-43699 | Med | 0.34 | 5.3 | 0.00 | Jun 10, 2025 | Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check. This impacts OmniStudio: before Spring 2025 | ||
| CVE-2024-32521 | Med | 0.34 | 5.3 | 0.00 | May 17, 2024 | Client-Side Enforcement of Server-Side Security vulnerability in Highfivery LLC Zero Spam allows Removing Important Client Functionality.This issue affects Zero Spam: from n/a through 5.5.6. | ||
| CVE-2024-32512 | Med | 0.34 | 5.3 | 0.00 | May 17, 2024 | Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20. | ||
| CVE-2024-0701 | Med | 0.34 | 5.3 | 0.01 | Feb 5, 2024 | The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. This makes it… | ||
| CVE-2026-42329 | Med | 0.31 | 4.7 | 0.00 | Jun 4, 2026 | Iris is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 contain a weakness where an attacker can misuse it to redirect the user to a malicious website controlled by an attacker. Version 2.4.28… | ||
| CVE-2024-6831 | Med | 0.29 | 4.4 | 0.00 | Nov 26, 2024 | Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highlighted flaw. Please refer to the Axis… |
- risk 0.44cvss 6.7epss 0.00
An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data.
- risk 0.42cvss 6.5epss 0.00
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
- risk 0.42cvss 6.5epss 0.00
Insufficient policy enforcement in Navigation in Google Chrome on Android prior to 149.0.7827.53 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.42cvss 6.5epss 0.00
Insufficient policy enforcement in DevTools in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to bypass enterprise host restrictions for cookie modification via a crafted Chrome Extension. (Chromium security…
- risk 0.42cvss 6.5epss 0.00
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users…
- risk 0.42cvss 6.5epss 0.00
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering…
- risk 0.41cvss 6.3epss 0.00
Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- risk 0.40cvss 7.3epss 0.00
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.1.124, the API does not properly validate that the user has an authorized user role of user. By default, when Open WebUI is configured with new sign-ups enabled, the…
- risk 0.36cvss 5.5epss 0.00
Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks. This issue affects Command Centre Server: 9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to…
- risk 0.36cvss 5.6epss 0.01
A Client-Side Enforcement of Server-Side Security issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The log out function in the application removes the user's session only on the client side. This may allow an attacker to bypass protection mechanisms,…
- risk 0.35cvss 5.3epss 0.01
The PrivateContent plugin for WordPress is vulnerable to protection mechanism bypass due to the use of client side validation in versions up to, and including, 8.4.3. This is due to the plugin checking if an IP had been blocklist via client-side scripts rather than server-side.…
- risk 0.34cvss 5.3epss 0.00
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for…
- risk 0.34cvss 5.3epss 0.00
Client-Side Enforcement of Server-Side Security vulnerability in Salesforce OmniStudio (FlexCards) allows bypass of required permission check. This impacts OmniStudio: before Spring 2025
- risk 0.34cvss 5.3epss 0.00
Client-Side Enforcement of Server-Side Security vulnerability in Highfivery LLC Zero Spam allows Removing Important Client Functionality.This issue affects Zero Spam: from n/a through 5.5.6.
- risk 0.34cvss 5.3epss 0.00
Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.
- risk 0.34cvss 5.3epss 0.01
The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the plugin's General settings. This makes it…
- risk 0.31cvss 4.7epss 0.00
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 contain a weakness where an attacker can misuse it to redirect the user to a malicious website controlled by an attacker. Version 2.4.28…
- risk 0.29cvss 4.4epss 0.00
Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highlighted flaw. Please refer to the Axis…