When using https but not DNSSEC, under what situation, a client is vulnerable?

Properly used https can mitigate the risk of not using DNSSsec because it is checked if the endpoint is the expected one by validating its certificate. Also, the data transport itself is protected. There are several things which can go wrong with https itself (weak ciphers, errors in validation process, too much trusted root CAs with same rights....) but if we assume that all this is handled properly (which is often not) https will give you the following protection:

• You talk to the correct server.
• The traffic between browser and server is protected in transit against sniffing and modification.

That's all you get.

Notably absent are protections against attacks caused by insecure web applications or bugs or design errors in the browser, that is CSRF, XSS, exploits using Flash, Java, Silverlight, ActiveX, include of 3rd-party code by the site you visit (i.e. social networks, tracking, advertisements...) and all the other typical attacks in today's web. And https will also not help if your computer is already compromised by malware or some security or helper software which does more harm than it helps.