VYPR

CWE-603

Use of Client-Side Authentication

BaseDraft

Description

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

Client-side authentication is extremely weak and may be breached easily. Any attacker may read the source code and reverse-engineer the authentication mechanism to access parts of the application which would otherwise be protected.

Hierarchy (View 1000)

Children

none

CVEs mapped to this weakness (10)

  • CVE-2026-1363CriJan 23, 2026
    risk 0.64cvss 9.8epss 0.01

    IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end.

  • CVE-2025-12868CriNov 10, 2025
    risk 0.64cvss 9.8epss 0.00

    New Site Server developed by CyberTutor has a Use of Client-Side Authentication vulnerability, allowing unauthenticated remote attackers to modify the frontend code to gain administrator privileges on the website.

  • CVE-2017-7909CriMay 6, 2017
    risk 0.64cvss 9.8epss 0.03

    A Use of Client-Side Authentication issue was discovered in Advantech B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web interface uses JavaScript to check client authentication and redirect unauthorized users. Attackers may intercept requests and bypass…

  • CVE-2025-64119CriJan 2, 2026
    risk 0.60cvss epss 0.00

    A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9.

  • CVE-2026-42098HigMay 19, 2026
    risk 0.57cvss epss 0.00

    Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is…

  • CVE-2026-40551HigApr 28, 2026
    risk 0.55cvss epss 0.00

    mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects…

  • CVE-2025-24517HigMar 31, 2025
    risk 0.49cvss 7.5epss 0.01

    Use of client-side authentication issue exists in CHOCO TEI WATCHER mini (IB-MCT001) all versions. If this issue is exploited, a remote attacker may obtain the product login password without authentication.

  • CVE-2024-28627HigApr 23, 2024
    risk 0.49cvss 7.5epss 0.00

    An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file.

  • CVE-2020-6988HigMar 16, 2020
    risk 0.49cvss 7.5epss 0.04

    Rockwell Automation MicroLogix 1400 Controllers Series B v21.001 and prior, Series A, all versions, MicroLogix 1100 Controller, all versions, RSLogix 500 Software v12.001 and prior, A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the…

  • CVE-2026-8830MedMay 19, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's…