CVE-2026-0696 Session Cookies Missing HttpOnly Attribute

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values...

CVE-2024-34520

An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R10240, which allows an authenticated 'guest' user to perform unauthorized administrative actions, such as accessing the 'add user' feature, by bypassing client-side access controls...

CVE-2025-32808

W. W. Norton InQuizitive through 2025-04-08 allows students to insert arbitrary records of their quiz performance into the backend, because only client-side access control exists...

PT-2025-16017 · W. W. Norton · W. W. Norton Inquizitive

Name of the Vulnerable Software and Affected Versions: W. W. Norton InQuizitive versions through 2025-04-08 Description: The issue allows students to insert arbitrary records of their quiz performance into the backend due to the existence of only client-side access control. This is related to a...

CVE-2025-32808

Affected software: W. W. Norton InQuizitive (through 2025-04-08). The vulnerability arises from client-side access control, allowing a student to insert arbitrary quiz records into the backend, with integrity impact (I=HIGH) and no confidentiality impact (C=NONE). CVSS details: CVSS 3.1 base scor...

CVE-2025-32808

W. W. Norton InQuizitive through 2025-04-08 allows students to insert arbitrary records of their quiz performance into the backend, because only client-side access control exists...

Devolutions Remote Desktop < 2024.3.31 / 2025.x < 2025.1.26 multiple vulnerabilities (DEVO-2025-0005)

The version of Devolutions Remote Desktop Manager installed on the remote host is prior to 2024.3.31 / 2025.1.26 and is, therefore, affected by multiple vulnerabilities: - Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An...

CVE-2025-2499

Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This...

CVE-2025-2499

Client side access control bypass in the permission component in Devolutions Remote Desktop Manager on Windows. An authenticated user can exploit this flaw to bypass certain permission restrictions—specifically View Password, Edit Asset, and Edit Permissions by performing specific actions. This...

CVE-2023-29927

Versions of Sage 300 through 2022 implement role-based access controls that are only enforced client-side. Low-privileged Sage users, particularly those on a workstation setup in the "Windows Peer-to-Peer Network" or "Client Server Network" Sage 300 configurations, could recover the SQL connectio...

CVE-2021-34563

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript...

CVE-2020-14485

OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries...

Design/Logic Flaw

An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element...

CVE-2018-19616

An issue was discovered in Rockwell Automation Allen-Bradley PowerMonitor 1000. An unauthenticated user can add/edit/remove administrators because access control is implemented on the client side via a disabled attribute for a BUTTON element...

CVE-2012-0701

CVE-2012-0701 : The IBM InfoSphere DataStage client in Information Server 8.1, 8.5 (before FP3), and 8.7 relies on client-side access control, enabling remote authenticated users to escalate privileges via unspecified vectors. Remediation (per IBM Security Bulletin): for 8.1, install Fix Pack 2 a...