VYPR

CWE-602

Client-Side Enforcement of Server-Side Security

ClassDraftLikelihood: Medium

Description

The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-162 · CAPEC-202 · CAPEC-207 · CAPEC-208 · CAPEC-21 · CAPEC-31 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388

CVEs mapped to this weakness (56)

page 3 of 3
  • CVE-2026-11267MedJun 5, 2026
    risk 0.28cvss 4.3epss 0.00

    Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)

  • CVE-2026-11062MedJun 4, 2026
    risk 0.28cvss 4.3epss 0.00

    Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: Medium)

  • CVE-2025-8792MedAug 10, 2025
    risk 0.28cvss 4.3epss 0.01

    A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed…

  • CVE-2025-12788MedNov 11, 2025
    risk 0.27cvss 5.3epss 0.00

    The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment…

  • CVE-2025-4527LowMay 11, 2025
    risk 0.24cvss 3.7epss 0.00

    A security flaw has been discovered in Dígitro NGC Explorer up to 3.44.15/3.48.21. The impacted element is an unknown function of the component Password Transmission Handler. Performing a manipulation results in client-side enforcement of server-side security. The attack can be…

  • CVE-2024-6620LowJul 29, 2024
    risk 0.23cvss 3.5epss 0.00

    Honeywell PC42t, PC42tp, and PC42d Printers, T10.19.020016 to T10.20.060398, contain a cross-site scripting vulnerability. A(n) attacker could potentially inject malicious code which may lead to information disclosure, session theft, or client-side request forgery. Honeywell…

  • CVE-2026-39415MedApr 8, 2026
    risk 0.21cvss 4.3epss 0.00

    Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on…

  • CVE-2026-30933Mar 10, 2026
    risk 0.00cvss epss 0.01

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in…

  • CVE-2026-27611Feb 25, 2026
    risk 0.00cvss epss 0.00

    FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a…

  • CVE-2025-66507Dec 9, 2025
    risk 0.00cvss epss 0.00

    1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper…

  • CVE-2025-23041Jan 14, 2025
    risk 0.00cvss epss 0.00

    Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are…

  • CVE-2024-52008Nov 26, 2024
    risk 0.00cvss epss 0.01

    Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity…

  • CVE-2020-8162Jun 19, 2020
    risk 0.00cvss epss 0.03

    A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

  • CVE-2017-12161HigFeb 21, 2018
    risk 0.00cvss 8.8epss 0.01

    It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information…

  • CVE-2014-2374Nov 5, 2014
    risk 0.00cvss epss 0.02

    The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.

  • CVE-2014-2373Nov 5, 2014
    risk 0.00cvss epss 0.02

    The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.