A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via crafted HTTP requests.
The vulnerability exists in the maxtime/handleRoute.lua file, where critical routing functions are available without an authentication mechanism (CWE-306). An attacker can send crafted HTTP requests directly to the vulnerable endpoint, completely bypassing the access control layer. The lack of required authentication means that any remote user with network access to the device can invoke these functions.
An attacker can affect the confidentiality, integrity, and availability of the device in many unspecified ways, which may include unauthorized data reading, configuration modification, or disruption of the traffic management system operation.
Patches available from the manufacturer should be applied according to the references. It is also recommended to restrict network access to the device through a firewall and implement network segmentation so that the management interface is not accessible from untrusted networks.
Q-Free MaxTime version 2.11.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HQ Free Maxtime
APPQ-Free≤ 2.11.0
Related vulnerabilities
Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła
Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)
Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH
Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)
Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników