CWE-602
100 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-602page 1 of 2
- CVE-2014-2373NONECVSS 0.0EG 0.02014-11-05
The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.
- CVE-2014-2374NONECVSS 0.0EG 0.02014-11-05
The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.
- CVE-2017-12161HIGHCVSS 8.8EG 8.82018-02-21
It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid re…
- CVE-2020-24683CRITICALCVSS 9.8EG 9.82020-12-22
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a…
- CVE-2020-27268MEDIUMCVSS 6.5EG 6.52021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for de…
- CVE-2020-5345MEDIUMCVSS 6.4EG 6.42020-06-23
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.17, Dell EMC Unisphere for PowerMax Virtual Appliance versions prior to 9.1.0.17, and PowerMax OS Release 5978 contain an authorization bypass vulnerability. An authenticated maliciou…
- CVE-2020-8162HIGHCVSS 7.5EG 7.52020-06-19
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload …
- CVE-2021-21531HIGHCVSS 8.1EG 8.12021-04-30
Dell Unisphere for PowerMax versions prior to 9.2.1.6 contain an Authorization Bypass Vulnerability. A local authenticated malicious user with monitor role may exploit this vulnerability to perform unauthorized actions.
- CVE-2021-21544LOWCVSS 2.7EG 2.72021-04-30
Dell EMC iDRAC9 versions prior to 4.40.00.00 contain an improper authentication vulnerability. A remote authenticated malicious user with high privileges could potentially exploit this vulnerability to manipulate the username field under t…
- CVE-2021-36338MEDIUMCVSS 6.3EG 8.02022-01-21
Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not hav…
- CVE-2022-1525CRITICALCVSS 9.1EG 9.12022-09-06
The Cognex 3D-A1000 Dimensioning System in firmware version 1.0.3 (3354) and prior is vulnerable to CWE-602: Client-Side Enforcement of Server-Side Security, which could allow attackers to bypass web access controls by inspecting and modif…
- CVE-2022-20658CRITICALCVSS 9.6EG 9.62022-01-14
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate …
- CVE-2022-3047MEDIUMCVSS 6.5EG 6.52022-09-26
Insufficient policy enforcement in Extensions API in Google Chrome prior to 105.0.5195.52 allowed an attacker who convinced a user to install a malicious extension to bypass downloads policy via a crafted HTML page.
- CVE-2022-31233MEDIUMCVSS 6.3EG 8.02022-08-31
Unisphere for PowerMax versions before 9.2.3.15 contain a privilege escalation vulnerability. An adjacent malicious user may potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have ac…
- CVE-2022-3308HIGHCVSS 7.4EG 7.42022-11-01
Insufficient policy enforcement in developer tools in Google Chrome prior to 106.0.5249.62 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2022-3310MEDIUMCVSS 6.5EG 6.52022-11-01
Insufficient policy enforcement in custom tabs in Google Chrome on Android prior to 106.0.5249.62 allowed an attacker who convinced the user to install an application to bypass same origin policy via a crafted application. (Chromium securi…
- CVE-2023-0581MEDIUMCVSS 5.3EG 5.32023-01-30
The PrivateContent plugin for WordPress is vulnerable to protection mechanism bypass due to the use of client side validation in versions up to, and including, 8.4.3. This is due to the plugin checking if an IP had been blocklist via clien…
- CVE-2023-0704MEDIUMCVSS 6.5EG 6.52023-02-07
Insufficient policy enforcement in DevTools in Google Chrome prior to 110.0.5481.77 allowed a remote attacker to bypass same origin policy and proxy settings via a crafted HTML page. (Chromium security severity: Low)
- CVE-2023-0750CRITICALCVSS 9.8EG 9.82023-04-06
Yellobrik PEC-1864 implements authentication checks via javascript in the frontend interface. When the device can be accessed over the network an attacker could bypass authentication. This would allow an attacker to : - Change the p…
- CVE-2023-20106MEDIUMCVSS 5.4EG 5.42023-05-18
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated attacker to delete or read arbitrary files on the underlying operating system. To exploit these vulnerabilities, an attacker must have valid cred…
- CVE-2023-20171MEDIUMCVSS 5.4EG 5.42023-05-18
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated attacker to delete or read arbitrary files on the underlying operating system. To exploit these vulnerabilities, an attacker must have valid cred…
- CVE-2023-20172MEDIUMCVSS 5.4EG 5.42023-05-18
Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated attacker to delete or read arbitrary files on the underlying operating system. To exploit these vulnerabilities, an attacker must have valid cred…
- CVE-2023-23570MEDIUMCVSS 5.4EG 5.42023-12-18
Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid configuration with undefined behavior. This issue affects: Gallagher Command Centre 8.90 prior to vEL8.90.1620 (MR2), al…
- CVE-2023-30955MEDIUMCVSS 4.3EG 4.32023-06-29
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interac…
- CVE-2023-36535HIGHCVSS 7.1EG 7.12023-08-08
Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow an authenticated user to enable information disclosure via network access.
- CVE-2023-3747MEDIUMCVSS 5.5EG 5.52023-09-07
Zero Trust Administrators have the ability to disallow end users from disabling WARP on their devices. Override codes can also be created by the Administrators to allow a device to temporarily be disconnected from WARP, however, due to lac…
- CVE-2023-39218MEDIUMCVSS 6.1EG 6.12023-08-08
Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow a privileged user to enable information disclosure via network access.
- CVE-2023-42787MEDIUMCVSS 6.5EG 6.52023-10-10
A client-side enforcement of server-side security [CWE-602] vulnerability in Fortinet FortiManager version 7.4.0 and before 7.2.3 and FortiAnalyzer version 7.4.0 and before 7.2.3 may allow a remote attacker with low privileges to access a…
- CVE-2023-48789MEDIUMCVSS 4.3EG 4.32024-06-03
A client-side enforcement of server-side security in Fortinet FortiPortal version 6.0.0 through 6.0.14 allows attacker to improper access control via crafted HTTP requests.
- CVE-2024-0701MEDIUMCVSS 5.3EG 5.32024-02-05
The UserPro plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 5.1.6. This is due to the use of client-side restrictions to enforce the 'Disabled registration' Membership feature within the …
- CVE-2024-12603CRITICALCVSS 9.8EG 9.82024-12-13
A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.
- CVE-2024-20476MEDIUMCVSS 4.3EG 4.32024-11-06
A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific file management functions. This vulnerability is due to lack of server-…
- CVE-2024-23666HIGHCVSS 7.5EG 7.52024-11-12
A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7.…
- CVE-2024-28029HIGHCVSS 8.8EG 8.82024-03-21
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality.
- CVE-2024-31491HIGHCVSS 8.8EG 8.82024-05-14
A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6 allows attacker to execute unauthorized code or commands via HTTP requests.
- CVE-2024-32512MEDIUMCVSS 5.3EG 5.32024-05-17
Client-Side Enforcement of Server-Side Security vulnerability in weForms allows Removing Important Client Functionality.This issue affects weForms: from n/a through 1.6.20.
- CVE-2024-32521MEDIUMCVSS 5.3EG 5.32024-05-17
Client-Side Enforcement of Server-Side Security vulnerability in Highfivery LLC Zero Spam allows Removing Important Client Functionality.This issue affects Zero Spam: from n/a through 5.5.6.
- CVE-2024-32685MEDIUMCVSS 5.3EG 5.32024-05-17
Client-Side Enforcement of Server-Side Security vulnerability in Wpmet Wp Ultimate Review allows Functionality Bypass.This issue affects Wp Ultimate Review: from n/a through 2.2.5.
- CVE-2024-39870MEDIUMCVSS 6.3EG 6.32024-07-09
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2 SP1). The affected applications can be configured to allow users to manage own users. A local authenticated user with this privilege could use this mo…
- CVE-2024-41750MEDIUMCVSS 5.5EG 5.52025-07-23
IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data.
- CVE-2024-41751MEDIUMCVSS 5.5EG 5.52025-07-23
IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data.
- CVE-2024-42340HIGHCVSS 8.3EG 8.32024-08-25
CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security
- CVE-2024-43188MEDIUMCVSS 4.9EG 4.92024-09-18
IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation.
- CVE-2024-44106HIGHCVSS 8.8EG 8.82024-09-10
Insufficient server-side controls in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges.
- CVE-2024-49824MEDIUMCVSS 6.5EG 6.52025-01-18
IBM Robotic Process Automation 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 could allow an authenticated user to perform unautho…
- CVE-2024-52008HIGHCVSS 8.8EG 8.82024-11-26
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI…
- CVE-2024-52960MEDIUMCVSS 4.3EG 4.32025-03-11
A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthor…
- CVE-2024-6620LOWCVSS 3.5EG 3.52024-07-29
Honeywell PC42t, PC42tp, and PC42d Printers, T10.19.020016 to T10.20.060398, contain a cross-site scripting vulnerability. A(n) attacker could potentially inject malicious code which may lead to information disclosure, session theft, or cl…
- CVE-2024-6831MEDIUMCVSS 4.4EG 4.42024-11-26
Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only check. Axis has released patched versions for the highli…
- CVE-2024-9844HIGHCVSS 7.1EG 7.12024-12-10
Insufficient server-side controls in Secure Application Manager of Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker to bypass restrictions.
Map vulnerabilities like CWE-602 to your infrastructure
EchelonGraph correlates every CVE — across CWE-602 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →