95 vulnerabilities classified as CWE-602 (服务端安全的客户端实施). AI Chinese analysis included.
CWE-602 represents a critical architectural flaw where a server improperly delegates security enforcement to the client side. This weakness occurs when developers assume that client-side controls, such as JavaScript validation or UI restrictions, are sufficient to protect sensitive server resources. Attackers typically exploit this by intercepting network traffic or modifying the client application to bypass these checks, allowing them to send unauthorized requests directly to the server. Since the server fails to independently verify the legitimacy of these actions, the attacker can manipulate data, access restricted functions, or cause unexpected system behaviors. To avoid this vulnerability, developers must implement strict server-side validation for all inputs and enforce access controls at the backend. Security mechanisms must never rely on the integrity of the client environment, ensuring that every request is authenticated and authorized regardless of how it was generated.
$server = "server.example.com"; $username = AskForUserName(); $password = AskForPassword(); $address = AskForAddress(); $sock = OpenSocket($server, 1234); writeSocket($sock, "AUTH $username $password\n"); $resp = readSocket($sock); if ($resp eq "success") { # username/pass is valid, go ahead and update the info! writeSocket($sock, "CHANGE-ADDRESS $username $address\n"; } else { print "ERROR: Invalid Authentication!\n"; }$sock = acceptSocket(1234); ($cmd, $args) = ParseClientRequest($sock); if ($cmd eq "AUTH") { ($username, $pass) = split(/\s+/, $args, 2); $result = AuthenticateUser($username, $pass); writeSocket($sock, "$result\n"); # does not close the socket on failure; assumes the # user will try again } elsif ($cmd eq "CHANGE-ADDRESS") { if (validateAddress($args)) { $res = UpdateDatabaseRecord($username, "address", $args); writeSocket($sock, "SUCCESS\n"); } else { writeSocket($sock, "FAILURE -- address is malformed\n"); } }| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2020-8162 | Ruby on Rails 代码问题漏洞 — https://github.com/rails/rails | 7.5 | - | 2020-06-19 |
| CVE-2017-12161 | Red Hat keycloak 安全漏洞 — Keycloak | 8.8 | - | 2018-02-21 |
| CVE-2017-14013 | ProMinent MultiFLEX M10a Controller Web界面安全漏洞 — ProMinent MultiFLEX M10a Controller | 7.7 | - | 2017-10-17 |
| CVE-2014-2373 | Accuenergy Accuenergy Acuvim II Client-Side Enforcement of Server-Side Security — Accuenergy Acuvim II AXN-NET Ethernet module | 9.1 | - | 2014-11-05 |
| CVE-2014-2374 | Accuenergy Accuenergy Acuvim II Client-Side Enforcement of Server-Side Security — Accuenergy Acuvim II AXN-NET Ethernet module | 9.1 | - | 2014-11-05 |
Vulnerabilities classified as CWE-602 (服务端安全的客户端实施) represent 95 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.