Total
55 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-61197 | 2025-10-06 | N/A | 8.9 HIGH | ||
| An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to escalate privileges via the application stores user privilege/role information in client-side browser storage | |||||
| CVE-2025-28168 | 1 Multiple File Upload Project | 1 Multiple File Upload | 2025-09-30 | N/A | 6.4 MEDIUM |
| The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems. | |||||
| CVE-2025-46591 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 6.2 MEDIUM |
| Out-of-bounds data read vulnerability in the authorization module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2025-9495 | 2025-09-24 | N/A | N/A | ||
| The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device. | |||||
| CVE-2024-52008 | 1 Ethyca | 1 Fides | 2025-09-23 | N/A | 8.8 HIGH |
| Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the system, an invite email containing a special link is sent to the new user's email address. This link directs the new user to a page where they can set their initial password. While the user interface implements password complexity checks, these validations are only performed client-side. The underlying `/api/v1/user/accept-invite` API endpoint does not implement the same password policy validations. This vulnerability allows an invited user to set an extremely weak password for their own account during the initial account setup process. Therefore that specific user's account can be compromised easily by an attacker guessing or brute forcing the password. The vulnerability has been patched in Fides version `2.50.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-53969 | 2025-09-19 | N/A | 8.8 HIGH | ||
| Cognex In-Sight Explorer and In-Sight Camera Firmware expose a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying users' access to the device. | |||||
| CVE-2025-54833 | 1 Opexus | 1 Foiaxpress Public Access Link | 2025-09-12 | N/A | 5.3 MEDIUM |
| OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | |||||
| CVE-2025-56694 | 1 Lumasoft | 1 Fotoshare Cloud | 2025-09-09 | N/A | 5.8 MEDIUM |
| Client-side password validation (CWE-602) in lumasoft fotoShare Cloud 2025-03-13 allowing unauthenticated attackers to view password-protected photo albums. | |||||
| CVE-2024-12603 | 2025-09-05 | N/A | 9.8 CRITICAL | ||
| A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password. | |||||
| CVE-2025-8792 | 1 Litmuschaos | 1 Litmus | 2025-09-02 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-49824 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2025-08-18 | N/A | 6.5 MEDIUM |
| IBM Robotic Process Automation 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 and IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 could allow an authenticated user to perform unauthorized actions as a privileged user due to improper validation of client-side security enforcement. | |||||
| CVE-2025-6025 | 2025-08-15 | N/A | 7.5 HIGH | ||
| The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted. | |||||
| CVE-2025-1838 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-08-14 | N/A | 6.5 MEDIUM |
| IBM Cloud Pak for Business Automation 24.0.0 and 24.0.1 through 24.0.1 IF001 Authoring allows an authenticated user to bypass client-side data validation in an authoring user interface which could cause a denial of service. | |||||
| CVE-2024-41751 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2025-08-06 | N/A | 5.5 MEDIUM |
| IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data. | |||||
| CVE-2024-41750 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2025-08-06 | N/A | 5.5 MEDIUM |
| IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data. | |||||
| CVE-2025-36039 | 1 Ibm | 1 Aspera Faspex | 2025-08-06 | N/A | 6.5 MEDIUM |
| IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms, | |||||
| CVE-2024-52960 | 1 Fortinet | 1 Fortisandbox | 2025-07-24 | N/A | 4.3 MEDIUM |
| A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. | |||||
| CVE-2025-20113 | 1 Cisco | 2 Unified Contact Center Express, Unified Intelligence Center | 2025-07-22 | N/A | 7.1 HIGH |
| A vulnerability in Cisco Unified Intelligence Center could allow an authenticated, remote attacker to elevate privileges to Administrator for a limited set of functions on an affected system. This vulnerability is due to insufficient server-side validation of user-supplied parameters in API or HTTP requests. An attacker could exploit this vulnerability by submitting a crafted API or HTTP request to an affected system. A successful exploit could allow the attacker to access, modify, or delete data beyond the sphere of their intended access level, including obtaining potentially sensitive information stored in the system. | |||||
| CVE-2025-6249 | 2025-07-17 | N/A | 6.7 MEDIUM | ||
| An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data. | |||||
| CVE-2025-5450 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-15 | N/A | 6.3 MEDIUM |
| Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted. | |||||