CWE-602
Client-Side Enforcement of Server-Side Security
Description
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-162 · CAPEC-202 · CAPEC-207 · CAPEC-208 · CAPEC-21 · CAPEC-31 · CAPEC-383 · CAPEC-384 · CAPEC-385 · CAPEC-386 · CAPEC-387 · CAPEC-388
CVEs mapped to this weakness (56)
page 3 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-11267 | Med | 0.28 | 4.3 | 0.00 | Jun 5, 2026 | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low) | ||
| CVE-2026-11062 | Med | 0.28 | 4.3 | 0.00 | Jun 4, 2026 | Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: Medium) | ||
| CVE-2025-8792 | Med | 0.28 | 4.3 | 0.01 | Aug 10, 2025 | A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed… | ||
| CVE-2025-12788 | Med | 0.27 | 5.3 | 0.00 | Nov 11, 2025 | The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment… | ||
| CVE-2025-4527 | Low | 0.24 | 3.7 | 0.00 | May 11, 2025 | A security flaw has been discovered in Dígitro NGC Explorer up to 3.44.15/3.48.21. The impacted element is an unknown function of the component Password Transmission Handler. Performing a manipulation results in client-side enforcement of server-side security. The attack can be… | ||
| CVE-2024-6620 | Low | 0.23 | 3.5 | 0.00 | Jul 29, 2024 | Honeywell PC42t, PC42tp, and PC42d Printers, T10.19.020016 to T10.20.060398, contain a cross-site scripting vulnerability. A(n) attacker could potentially inject malicious code which may lead to information disclosure, session theft, or client-side request forgery. Honeywell… | ||
| CVE-2026-39415 | Med | 0.21 | 4.3 | 0.00 | Apr 8, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on… | ||
| CVE-2026-30933 | 0.00 | — | 0.01 | Mar 10, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in… | |||
| CVE-2026-27611 | 0.00 | — | 0.00 | Feb 25, 2026 | FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a… | |||
| CVE-2025-66507 | 0.00 | — | 0.00 | Dec 9, 2025 | 1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper… | |||
| CVE-2025-23041 | — | 0.00 | — | 0.00 | Jan 14, 2025 | Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are… | ||
| CVE-2024-52008 | 0.00 | — | 0.01 | Nov 26, 2024 | Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity… | |||
| CVE-2020-8162 | — | 0.00 | — | 0.03 | Jun 19, 2020 | A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits. | ||
| CVE-2017-12161 | — | Hig | 0.00 | 8.8 | 0.01 | Feb 21, 2018 | It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information… | |
| CVE-2014-2374 | 0.00 | — | 0.02 | Nov 5, 2014 | The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript. | |||
| CVE-2014-2373 | 0.00 | — | 0.02 | Nov 5, 2014 | The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript. |
- risk 0.28cvss 4.3epss 0.00
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. (Chromium security severity: Low)
- risk 0.28cvss 4.3epss 0.00
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: Medium)
- risk 0.28cvss 4.3epss 0.01
A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed…
- risk 0.27cvss 5.3epss 0.00
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment…
- risk 0.24cvss 3.7epss 0.00
A security flaw has been discovered in Dígitro NGC Explorer up to 3.44.15/3.48.21. The impacted element is an unknown function of the component Password Transmission Handler. Performing a manipulation results in client-side enforcement of server-side security. The attack can be…
- risk 0.23cvss 3.5epss 0.00
Honeywell PC42t, PC42tp, and PC42d Printers, T10.19.020016 to T10.20.060398, contain a cross-site scripting vulnerability. A(n) attacker could potentially inject malicious code which may lead to information disclosure, session theft, or client-side request forgery. Honeywell…
- risk 0.21cvss 4.3epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on…
- CVE-2026-30933Mar 10, 2026risk 0.00cvss —epss 0.01
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in…
- CVE-2026-27611Feb 25, 2026risk 0.00cvss —epss 0.00
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to versions 1.1.3-stable and 1.2.6-beta, when users share password-protected files, the recipient can completely bypass the password and still download the file. This happens because the API returns a…
- CVE-2025-66507Dec 9, 2025risk 0.00cvss —epss 0.00
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper…
- CVE-2025-23041Jan 14, 2025risk 0.00cvss —epss 0.00
Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are…
- CVE-2024-52008Nov 26, 2024risk 0.00cvss —epss 0.01
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity…
- CVE-2020-8162Jun 19, 2020risk 0.00cvss —epss 0.03
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
- risk 0.00cvss 8.8epss 0.01
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information…
- CVE-2014-2374Nov 5, 2014risk 0.00cvss —epss 0.02
The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.
- CVE-2014-2373Nov 5, 2014risk 0.00cvss —epss 0.02
The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.