A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.
The maxprofile/accounts/routes.lua file lacks an authentication mechanism for the critical account management function. An attacker can send properly crafted HTTP requests directly to the vulnerable endpoint without needing any credentials. This makes it possible to register a new user with any privilege level, including full administrative rights.
An attacker can gain full control over the Q-Free MaxTime system by creating their own administrator account, leading to complete compromise of system confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references. It is recommended to urgently update the Q-Free MaxTime system to a version higher than 2.11.0 and restrict network access to the management interface using a firewall until the patch is implemented.
Q-Free MaxTime version 2.11.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HQ Free Maxtime
APPQ-Free≤ 2.11.0
Related vulnerabilities
Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła
Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)
Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime
Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH
Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników