Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-602 (服务端安全的客户端实施) — Vulnerability Class 88

88 vulnerabilities classified as CWE-602 (服务端安全的客户端实施). AI Chinese analysis included.

CWE-602 represents a critical architectural flaw where a server improperly delegates security enforcement to the client side. This weakness occurs when developers assume that client-side controls, such as JavaScript validation or UI restrictions, are sufficient to protect sensitive server resources. Attackers typically exploit this by intercepting network traffic or modifying the client application to bypass these checks, allowing them to send unauthorized requests directly to the server. Since the server fails to independently verify the legitimacy of these actions, the attacker can manipulate data, access restricted functions, or cause unexpected system behaviors. To avoid this vulnerability, developers must implement strict server-side validation for all inputs and enforce access controls at the backend. Security mechanisms must never rely on the integrity of the client environment, ensuring that every request is authenticated and authorized regardless of how it was generated.

MITRE CWE Description
The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. When the server relies on protection mechanisms placed on the client side, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.
Common Consequences (2)
Access Control, AvailabilityBypass Protection Mechanism, DoS: Crash, Exit, or Restart
Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.
Mitigations (2)
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minim…
Architecture and DesignIf some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in…
Examples (2)
This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step.
$server = "server.example.com"; $username = AskForUserName(); $password = AskForPassword(); $address = AskForAddress(); $sock = OpenSocket($server, 1234); writeSocket($sock, "AUTH $username $password\n"); $resp = readSocket($sock); if ($resp eq "success") { # username/pass is valid, go ahead and update the info! writeSocket($sock, "CHANGE-ADDRESS $username $address\n"; } else { print "ERROR: Invalid Authentication!\n"; }
Good · Perl
$sock = acceptSocket(1234); ($cmd, $args) = ParseClientRequest($sock); if ($cmd eq "AUTH") { ($username, $pass) = split(/\s+/, $args, 2); $result = AuthenticateUser($username, $pass); writeSocket($sock, "$result\n"); # does not close the socket on failure; assumes the # user will try again } elsif ($cmd eq "CHANGE-ADDRESS") { if (validateAddress($args)) { $res = UpdateDatabaseRecord($username, "address", $args); writeSocket($sock, "SUCCESS\n"); } else { writeSocket($sock, "FAILURE -- address is malformed\n"); } }
Bad · Perl
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDTitleCVSSSeverityPublished
CVE-2026-42160 Data Space Portal: Incorrect Authorization and Client-Side Enforcement of Server-Side Security in ghcr.io/sovity/ds-portal-ce-backend — dataspace-portal 4.3AIMediumAI2026-05-08
CVE-2026-39415 Frappe Learning Management System has Client-Side Manipulation of Quiz Scores — lms 7.1AIHighAI2026-04-08
CVE-2026-25737 Budibase Arbitrary File Upload Leading to Multiple Critical Vulnerabilities (SSRF, Stored XSS) — budibase 8.9 High2026-03-09
CVE-2026-30783 RustDesk Client Can Orphan API Channel to Ignore All Admin Commands and ACL Policies — RustDesk Client 8.8 -2026-03-05
CVE-2026-23859 Dell Wyse Management Suite WMS 安全漏洞 — Wyse Management Suite 2.7 Low2026-02-24
CVE-2025-36410 Multiple vulnerabilities found in IBM ApplinX. — ApplinX 3.1 Low2026-01-20
CVE-2026-0808 Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter — Spin Wheel – Interactive spinning wheel that offers coupons 5.3 Medium2026-01-17
CVE-2026-23478 Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback — cal.com 9.8AICriticalAI2026-01-13
CVE-2025-14687 Client-Side Enforcement of Server-Side Security in IBM Db2 Intelligence Center — Db2 Intelligence Center 4.3 Medium2025-12-26
CVE-2025-66507 1Panel – CAPTCHA Bypass via Client-Controlled Flag — 1Panel 7.5 High2025-12-09
CVE-2025-36102 IBM Controller Validation Bypass — Controller 2.7 Low2025-12-08
CVE-2025-7820 SKT PayPal for WooCommerce <= 1.4 - Unauthenticated Payment Bypass — SKT PayPal for WooCommerce 7.5 High2025-11-27
CVE-2025-12788 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass — Hydra Booking — Appointment Scheduling & Booking Calendar 5.3 Medium2025-11-11
CVE-2025-36093 security vulnerabilities are addressed with IBM Business Automation Insights iFixes for October 2025. — Cloud Pak For Business Automation 4.8 Medium2025-11-03
CVE-2025-12115 WPC Name Your Price for WooCommerce <= 2.1.9 - Unauthenticated Price Alteration — WPC Name Your Price for WooCommerce 7.5 High2025-10-31
CVE-2025-41402 Gallagher Command Centre Server 安全漏洞 — Command Centre Server 5.5 Medium2025-10-23
CVE-2025-10640 Missing Server-Side Authentication Checks in EfficientLab WorkExaminer Professional — WorkExaminer Professional 9.1AICriticalAI2025-10-21
CVE-2025-2138 IBM Engineering Requirements Management Doors Next data modification — Engineering Requirements Management Doors Next 3.5 Low2025-10-12
CVE-2025-2139 IBM Engineering Requirements Management Doors Next security bypass — Engineering Requirements Management Doors Next 3.5 Low2025-10-12
CVE-2025-9495 Viessmann Vitogate 300 Authentication Bypass — Vitogate 300 9.8AICriticalAI2025-09-23
CVE-2025-53969 Cognex In-Sight Explorer and In-Sight Camera Firmware Client-Side Enforcement of Server-Side Security — In-Sight 2000 series 8.8 High2025-09-18
CVE-2025-6025 Order Tip for WooCommerce <= 1.5.4 - Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts — Order Tip for WooCommerce 7.5 High2025-08-15
CVE-2025-8792 LitmusChaos Litmus client-side enforcement of server-side security — Litmus 4.3 Medium2025-08-10
CVE-2025-36039 IBM Aspera Faspex bypass security — Aspera Faspex 6.5 Medium2025-07-30
CVE-2024-41750 IBM SmartCloud Analytics - Log Analysis security bypass — SmartCloud Analytics Log Analysis 5.5 Medium2025-07-23
CVE-2024-41751 IBM SmartCloud Analytics - Log Analysis security bypass — SmartCloud Analytics Log Analysis 5.5 Medium2025-07-23
CVE-2025-6249 Filez 安全漏洞 — FileZ Client 6.7 Medium2025-07-17
CVE-2025-27367 IBM OpenPages with Watson improper input validation — OpenPages with Watson 5.3 Medium2025-07-08
CVE-2025-5450 Ivanti Connect Secure和Ivanti Policy Secure 安全漏洞 — Connect Secure 6.3 Medium2025-07-08
CVE-2025-40591 Siemens多款产品 安全漏洞 — RUGGEDCOM ROX MX5000 7.7 High2025-06-10

Vulnerabilities classified as CWE-602 (服务端安全的客户端实施) represent 88 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.