目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

CWE-602 服务端安全的客户端实施 类漏洞列表 88

CWE-602 服务端安全的客户端实施 类弱点 88 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-602 指客户端执行服务端安全机制的漏洞,属于逻辑设计缺陷。攻击者通过修改客户端代码或拦截请求,绕过前端限制直接与服务端交互,从而获取未授权访问或执行恶意操作。开发者应避免依赖前端进行敏感验证,必须确保所有安全控制逻辑均在服务端独立实施,以保障数据完整性与系统安全性。

MITRE CWE 官方描述
CWE:CWE-602 客户端执行服务端安全(Client-Side Enforcement of Server-Side Security) 英文:该产品由一个服务器组成,该服务器依赖客户端来实现旨在保护服务器的机制。 当服务器依赖放置在客户端的保护机制时,攻击者可以修改客户端行为以绕过这些保护机制,从而导致客户端与服务器之间出现潜在的意外交互。后果将因这些机制试图保护的内容不同而有所差异。
常见影响 (2)
Access Control, AvailabilityBypass Protection Mechanism, DoS: Crash, Exit, or Restart
Client-side validation checks can be easily bypassed, allowing malformed or unexpected input to pass into the application, potentially as trusted data. This may lead to unexpected states, behaviors and possibly a resulting crash.
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
Client-side checks for authentication can be easily bypassed, allowing clients to escalate their access levels and perform unintended actions.
缓解措施 (2)
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server. Even though client-side checks provide minim…
Architecture and DesignIf some degree of trust is required between the two entities, then use integrity checking and strong authentication to ensure that the inputs are coming from a trusted source. Design the product so that this trust is managed in a centralized fashion, especially if there are complex or numerous communication channels, in order to reduce the risks that the implementer will mistakenly omit a check in…
代码示例 (2)
This example contains client-side code that checks if the user authenticated successfully before sending a command. The server-side code performs the authentication in one step, and executes the command in a separate step.
$server = "server.example.com"; $username = AskForUserName(); $password = AskForPassword(); $address = AskForAddress(); $sock = OpenSocket($server, 1234); writeSocket($sock, "AUTH $username $password\n"); $resp = readSocket($sock); if ($resp eq "success") { # username/pass is valid, go ahead and update the info! writeSocket($sock, "CHANGE-ADDRESS $username $address\n"; } else { print "ERROR: Invalid Authentication!\n"; }
Good · Perl
$sock = acceptSocket(1234); ($cmd, $args) = ParseClientRequest($sock); if ($cmd eq "AUTH") { ($username, $pass) = split(/\s+/, $args, 2); $result = AuthenticateUser($username, $pass); writeSocket($sock, "$result\n"); # does not close the socket on failure; assumes the # user will try again } elsif ($cmd eq "CHANGE-ADDRESS") { if (validateAddress($args)) { $res = UpdateDatabaseRecord($username, "address", $args); writeSocket($sock, "SUCCESS\n"); } else { writeSocket($sock, "FAILURE -- address is malformed\n"); } }
Bad · Perl
In 2022, the OT:ICEFALL study examined products by 10 different Operational Technology (OT) vendors. The researchers reported 56 vulnerabilities and said that the products were "insecure by design" [REF-1283]. If exploited, these vulnerabilities often allowed adversaries to change how the products operated, ranging from denial of service to changing the code that the products executed. Since these…
CVE IDタイトルCVSS深刻度公開日
CVE-2025-43699 Salesforce OmniStudio 安全漏洞 — OmniStudio 9.8AICriticalAI2025-06-10
CVE-2025-47697 Uchida Yoko wivia 安全漏洞 — wivia 5 9.8AICriticalAI2025-05-30
CVE-2025-33137 IBM Aspera Faspex data modification — Aspera Faspex 7.1 High2025-05-22
CVE-2025-20113 Cisco Unified Intelligence Center Privilege Escalation Vulnerability — Cisco Unified Contact Center Express 7.1 High2025-05-21
CVE-2025-33025 Siemens多款产品 安全漏洞 — RUGGEDCOM ROX MX5000 9.9 Critical2025-05-13
CVE-2025-33024 Siemens多款产品 安全漏洞 — RUGGEDCOM ROX MX5000 9.9 Critical2025-05-13
CVE-2025-32469 siemens多款产品 安全漏洞 — RUGGEDCOM ROX MX5000 9.9 Critical2025-05-13
CVE-2025-4527 Dígitro NGC Explorer Password Transmission client-side enforcement of server-side security — NGC Explorer 3.7 Low2025-05-11
CVE-2025-46591 Huawei HarmonyOS 安全漏洞 — HarmonyOS 6.2 Medium2025-05-06
CVE-2025-28168 OutSystems Multiple File Upload 安全漏洞 — Multiple File Upload 6.4 Medium2025-05-05
CVE-2025-1838 IBM Cloud Pak for Business Automation denial of service — Cloud Pak for Business Automation 6.5 Medium2025-05-03
CVE-2025-42601 Captcha Bypass Vulnerability in Meon KYC solutions — KYC solutions 5.3 -2025-04-23
CVE-2025-32808 W. W. Norton InQuizitive 安全漏洞 — InQuizitive 7.7 High2025-04-11
CVE-2025-32359 Zammad 安全漏洞 — Zammad 4.8 Medium2025-04-05
CVE-2024-52960 Fortinet FortiSandbox 安全漏洞 — FortiSandbox 4.2 Medium2025-03-11
CVE-2024-49824 IBM Robotic Process Automation security bypass — Robotic Process Automation 6.5 Medium2025-01-18
CVE-2024-12603 TECNO com.transsion.applock 安全漏洞 — com.transsion.applock 9.8 -2024-12-13
CVE-2024-9844 Ivanti Connect Secure 安全漏洞 — Connect Secure 7.1 High2024-12-10
CVE-2024-52008 Password Policy Bypass Vulnerability in Fides Webserver — fides 6.5AIMediumAI2024-11-26
CVE-2024-6831 AXIS Camera Station Pro 安全漏洞 — AXIS Camera Station Pro 4.4 Medium2024-11-26
CVE-2024-23666 Fortinet FortiManager和FortiAnalyzer 安全漏洞 — FortiManager 7.1 High2024-11-12
CVE-2024-20476 Cisco Identity Services Engine Authorization Bypass Vulnerability — Cisco Identity Services Engine Software 4.3 Medium2024-11-06
CVE-2024-43188 IBM Business Automation Workflow improper input validation — Business Automation Workflow 4.9 Medium2024-09-18
CVE-2024-44106 Ivanti Workspace Control 安全漏洞 — Workspace Control 8.8 High2024-09-10
CVE-2024-42340 CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security — CyberArk Identity Management 8.3 High2024-08-25
CVE-2024-6620 Honeywell多款产品 安全漏洞 — PC42t, PC42tp, and PC42d (Common Firmware) 3.5 Low2024-07-29
CVE-2024-39870 Siemens SINEMA Remote Connect 安全漏洞 — SINEMA Remote Connect Server 6.3 Medium2024-07-09
CVE-2023-48789 Fortinet FortiPortal 安全漏洞 — FortiPortal 4.1 Medium2024-06-03
CVE-2024-32685 WordPress WP Ultimate Review plugin <= 2.2.5 - Review Score Manipulation vulnerability — Wp Ultimate Review 5.3 Medium2024-05-17
CVE-2024-32521 WordPress Zero Spam for WordPress plugin <= 5.5.6 - Bypass Spam Protection vulnerability — Zero Spam 5.3 Medium2024-05-17

CWE-602(服务端安全的客户端实施) 是常见的弱点类别,本平台收录该类弱点关联的 88 条 CVE 漏洞。