CRITICAL🇵🇱 Wersja polska

CVE-2025-26344

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-10-24

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.

🤖 AI Analysis
How it works

The vulnerability is located in the maxprofile/guest-mode/routes.lua file and results from the lack of an authentication mechanism for the critical guest mode management function. The attacker sends specially crafted HTTP requests to the vulnerable endpoint, bypassing all access controls. As a result, it is possible to activate guest mode without a password without possessing any privileges in the system.

Impact

An unauthenticated remote attacker can take control of the system's guest mode function, leading to unauthorized access to resources protected by this mechanism, and potentially resulting in a breach of confidentiality, integrity, and availability of the system (CVSS score indicates complete compromise of all three areas).

Mitigation & patch

Apply patches available from the manufacturer according to the references. It is recommended to update to a version higher than 2.11.0 and restrict network access to the Q-Free MaxTime system management interface exclusively to trusted hosts.

Who is affected

Q-Free MaxTime version 2.11.0 and all earlier versions

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Q Free Maxtime

    APP
    Q-Free
    ≤ 2.11.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-26342CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)

CVE-2025-26341CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)

CVE-2025-26339CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime

CVE-2025-1100CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH

CVE-2025-26345CRITICAL9.8PL ✓ten sam produkt

Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników