目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1325

100%
请我们喝杯咖啡

CWE-602 服务端安全的客户端实施 类漏洞列表 90

CWE-602 服务端安全的客户端实施 类弱点 90 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-602 指客户端执行服务端安全机制的漏洞,属于逻辑设计缺陷。攻击者通过修改客户端代码或拦截请求,绕过前端限制直接与服务端交互,从而获取未授权访问或执行恶意操作。开发者应避免依赖前端进行敏感验证,必须确保所有安全控制逻辑均在服务端独立实施,以保障数据完整性与系统安全性。

MITRE CWE 官方描述
CWE:CWE-602 客户端执行服务端安全(Client-Side Enforcement of Server-Side Security) 英文:该产品由一个服务器组成,该服务器依赖客户端来实现旨在保护服务器的机制。 当服务器依赖放置在客户端的保护机制时,攻击者可以修改客户端行为以绕过这些保护机制,从而导致客户端与服务器之间出现潜在的意外交互。后果将因这些机制试图保护的内容不同而有所差异。
常见影响 (2)
Access Control, AvailabilityBypass Protection Mechanism, DoS: Crash, Exit, or Restart
Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.
缓解措施 (2)
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minim…
Architecture and DesignIf some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in…
代码示例 (2)
This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step.
$server = "server.example.com"; $username = AskForUserName(); $password = AskForPassword(); $address = AskForAddress(); $sock = OpenSocket($server, 1234); writeSocket($sock, "AUTH $username $password\n"); $resp = readSocket($sock); if ($resp eq "success") { # username/pass is valid, go ahead and update the info! writeSocket($sock, "CHANGE-ADDRESS $username $address\n"; } else { print "ERROR: Invalid Authentication!\n"; }
Good · Perl
$sock = acceptSocket(1234); ($cmd, $args) = ParseClientRequest($sock); if ($cmd eq "AUTH") { ($username, $pass) = split(/\s+/, $args, 2); $result = AuthenticateUser($username, $pass); writeSocket($sock, "$result\n"); # does not close the socket on failure; assumes the # user will try again } elsif ($cmd eq "CHANGE-ADDRESS") { if (validateAddress($args)) { $res = UpdateDatabaseRecord($username, "address", $args); writeSocket($sock, "SUCCESS\n"); } else { writeSocket($sock, "FAILURE -- address is malformed\n"); } }
Bad · Perl
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE ID标题CVSS风险等级Published
CVE-2026-54104 美国GAO EPDS和CBCA EDS客户端提权漏洞 — Electronic Protest Docketing System (EPDS) 8.8 High2026-06-18
CVE-2026-42329 Iris 安全漏洞 — iris-web 4.7 Medium2026-06-04
CVE-2026-42160 dataspace-portal 安全漏洞 — dataspace-portal 4.3AIMediumAI2026-05-08
CVE-2026-39415 Frappe Learning Management System 安全漏洞 — lms 7.1AIHighAI2026-04-08
CVE-2026-25737 Budibase 安全漏洞 — budibase 8.9 High2026-03-09
CVE-2026-30783 RustDesk 安全漏洞 — RustDesk Client 8.8 -2026-03-05
CVE-2026-23859 Dell Wyse Management Suite WMS 安全漏洞 — Wyse Management Suite 2.7 Low2026-02-24
CVE-2025-36410 IBM ApplinX 安全漏洞 — ApplinX 3.1 Low2026-01-20
CVE-2026-0808 WordPress plugin Spin Wheel 安全漏洞 — Spin Wheel – Interactive spinning wheel that offers coupons 5.3 Medium2026-01-17
CVE-2026-23478 Cal.com 安全漏洞 — cal.com 9.8AICriticalAI2026-01-13
CVE-2025-14687 IBM Db2 Intelligence Center 安全漏洞 — Db2 Intelligence Center 4.3 Medium2025-12-26
CVE-2025-66507 1Panel 安全漏洞 — 1Panel 7.5 High2025-12-09
CVE-2025-36102 IBM Cognos Controller和IBM Controller 安全漏洞 — Controller 2.7 Low2025-12-08
CVE-2025-7820 WordPress plugin SKT PayPal for WooCommerce 安全漏洞 — SKT PayPal for WooCommerce 7.5 High2025-11-27
CVE-2025-12788 WordPress plugin Hydra Booking — Appointment Scheduling & Booking Calendar 安全漏洞 — Hydra Booking — Appointment Scheduling & Booking Calendar 5.3 Medium2025-11-11
CVE-2025-36093 IBM Cloud Pak for Business Automation 安全漏洞 — Cloud Pak For Business Automation 4.8 Medium2025-11-03
CVE-2025-12115 WordPress plugin WPC Name Your Price for WooCommerce 安全漏洞 — WPC Name Your Price for WooCommerce 7.5 High2025-10-31
CVE-2025-41402 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 5.5 Medium2025-10-23
CVE-2025-10640 Work Examiner Professional 安全漏洞 — WorkExaminer Professional 9.1AICriticalAI2025-10-21
CVE-2025-2138 IBM Engineering Requirements Management DOORS Next 安全漏洞 — Engineering Requirements Management Doors Next 3.5 Low2025-10-12
CVE-2025-2139 IBM Engineering Requirements Management DOORS Next 安全漏洞 — Engineering Requirements Management Doors Next 3.5 Low2025-10-12
CVE-2025-9495 Viessmann Vitogate 300 安全漏洞 — Vitogate 300 9.8AICriticalAI2025-09-23
CVE-2025-53969 Cognex In-Sight Explorer和Cognex In-Sight Camera Firmware 安全漏洞 — In-Sight 2000 series 8.8 High2025-09-18
CVE-2025-6025 WordPress plugin Order Tip for WooCommerce 安全漏洞 — Order Tip for WooCommerce 7.5 High2025-08-15
CVE-2025-8792 LitmusChaos 安全漏洞 — Litmus 4.3 Medium2025-08-10
CVE-2025-36039 IBM Aspera Faspex 安全漏洞 — Aspera Faspex 6.5 Medium2025-07-30
CVE-2024-41750 IBM Operations Analytics-Log Analysis 安全漏洞 — SmartCloud Analytics Log Analysis 5.5 Medium2025-07-23
CVE-2024-41751 IBM Operations Analytics-Log Analysis 安全漏洞 — SmartCloud Analytics Log Analysis 5.5 Medium2025-07-23
CVE-2025-6249 Filez 安全漏洞 — FileZ Client 6.7 Medium2025-07-17
CVE-2025-27367 IBM OpenPages with Watson 安全漏洞 — OpenPages with Watson 5.3 Medium2025-07-08

CWE-602(服务端安全的客户端实施) 是常见的弱点类别,本平台收录该类弱点关联的 90 条 CVE 漏洞。