CRITICAL🇵🇱 Wersja polska

CVE-2025-26342

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-10-24

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.

🤖 AI Analysis
How it works

The maxprofile/accounts/routes.lua file lacks an authentication mechanism for the critical account management function. An attacker can send properly crafted HTTP requests directly to the vulnerable endpoint without needing any credentials. This makes it possible to register a new user with any privilege level, including full administrative rights.

Impact

An attacker can gain full control over the Q-Free MaxTime system by creating their own administrator account, leading to complete compromise of system confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to urgently update the Q-Free MaxTime system to a version higher than 2.11.0 and restrict network access to the management interface using a firewall until the patch is implemented.

Who is affected

Q-Free MaxTime version 2.11.0 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Q Free Maxtime

    APP
    Q-Free
    ≤ 2.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26344CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła

CVE-2025-26341CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)

CVE-2025-26339CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime

CVE-2025-1100CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH

CVE-2025-26345CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników