A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.
The vulnerability is located in the maxprofile/guest-mode/routes.lua file and results from the lack of an authentication mechanism for the critical guest mode management function. The attacker sends specially crafted HTTP requests to the vulnerable endpoint, bypassing all access controls. As a result, it is possible to activate guest mode without a password without possessing any privileges in the system.
An unauthenticated remote attacker can take control of the system's guest mode function, leading to unauthorized access to resources protected by this mechanism, and potentially resulting in a breach of confidentiality, integrity, and availability of the system (CVSS score indicates complete compromise of all three areas).
Apply patches available from the manufacturer according to the references. It is recommended to update to a version higher than 2.11.0 and restrict network access to the Q-Free MaxTime system management interface exclusively to trusted hosts.
Q-Free MaxTime version 2.11.0 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HQ Free Maxtime
APPQ-Free≤ 2.11.0
Related vulnerabilities
Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)
Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)
Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime
Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH
Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników