CRITICAL🇵🇱 Wersja polska

CVE-2025-26345

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-10-24

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.

🤖 AI Analysis
How it works

The vulnerability is located in the maxprofile/menu/routes.lua file that handles HTTP request routing. The function responsible for editing user group permissions does not require any authentication before execution. An attacker can send crafted HTTP requests directly to the vulnerable endpoint, completely bypassing access control mechanisms and modifying permissions of any user groups.

Impact

An unauthenticated remote attacker can arbitrarily modify user group permissions in the system, which may lead to privilege escalation, unauthorized access to protected resources, and complete compromise of the system's confidentiality, integrity, and availability.

Mitigation & patch

Patches provided by the vendor should be applied according to the references. It is recommended to restrict network access to the Q-Free MaxTime management interface only to trusted hosts and to monitor HTTP traffic to vulnerable endpoints until the update is deployed.

Who is affected

Q-Free MaxTime version 2.11.0 and all earlier versions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Q Free Maxtime

    APP
    Q-Free
    ≤ 2.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26342CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)

CVE-2025-26341CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)

CVE-2025-26339CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime

CVE-2025-1100CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH

CVE-2025-26344CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła