A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.
The vulnerability is located in the maxprofile/menu/routes.lua file that handles HTTP request routing. The function responsible for editing user group permissions does not require any authentication before execution. An attacker can send crafted HTTP requests directly to the vulnerable endpoint, completely bypassing access control mechanisms and modifying permissions of any user groups.
An unauthenticated remote attacker can arbitrarily modify user group permissions in the system, which may lead to privilege escalation, unauthorized access to protected resources, and complete compromise of the system's confidentiality, integrity, and availability.
Patches provided by the vendor should be applied according to the references. It is recommended to restrict network access to the Q-Free MaxTime management interface only to trusted hosts and to monitor HTTP traffic to vulnerable endpoints until the update is deployed.
Q-Free MaxTime version 2.11.0 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HQ Free Maxtime
APPQ-Free≤ 2.11.0
Related vulnerabilities
Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)
Q-Free MaxTime: resetowanie haseł bez uwierzytelnienia (CWE-306)
Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime
Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH
Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła