Search criteria
129 vulnerabilities found for MaxTime by Q-Free
FKIE_CVE-2025-26378
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-04-10 20:25
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26378 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/users/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante autenticado (con pocos privilegios) restablecer contrase\u00f1as, incluida las de cuentas de administrador, a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26378",
"lastModified": "2025-04-10T20:25:15.307",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:39.163",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26378"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26373
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:41
Severity ?
Summary
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26373 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/users/routes.lua (user endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un error CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/users/routes.lua (usuario endpoint) en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) enumere usuarios a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26373",
"lastModified": "2025-10-28T15:41:46.897",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:38.360",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26373"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26375
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-04-10 18:55
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26375 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/users/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) cree usuarios con privilegios arbitrarios a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26375",
"lastModified": "2025-04-10T18:55:29.077",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:38.633",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26375"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26377
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:41
Severity ?
Summary
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/users/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) elimine usuarios mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26377",
"lastModified": "2025-10-28T15:41:39.100",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:38.933",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26377"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26372
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-03-03 22:12
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26372 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/user-groups/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) elimine usuarios de grupos mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26372",
"lastModified": "2025-03-03T22:12:13.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:38.227",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26372"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26371
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-04-10 19:54
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26371 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/user-groups/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) agregue usuarios a grupos mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26371",
"lastModified": "2025-04-10T19:54:12.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:38.077",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26371"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26374
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-03-03 22:12
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26374 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/users/routes.lua (usuarios endpoint) en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante autenticado (con pocos privilegios) enumerar usuarios a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26374",
"lastModified": "2025-03-03T22:12:48.590",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:38.500",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26374"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26376
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-04-10 19:54
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26376 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/users/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) modifique datos del usuario a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26376",
"lastModified": "2025-04-10T19:54:07.187",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:38.777",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26376"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26370
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:41
Severity ?
Summary
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26370 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/user-groups/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) elimine privilegios de grupos de usuarios mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26370",
"lastModified": "2025-10-28T15:41:52.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:37.940",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26370"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26369
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-05-27 21:25
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/user-groups/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) agregue privilegios a grupos de usuarios mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26369",
"lastModified": "2025-05-27T21:25:39.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:37.800",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26369"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26368
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-04-10 18:55
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Summary
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un error CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/user-groups/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) elimine grupos de usuarios mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26368",
"lastModified": "2025-04-10T18:55:33.947",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:37.660",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26368"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26366
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:42
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/setup/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante remoto no autenticado deshabilite la autenticaci\u00f3n del panel frontal mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26366",
"lastModified": "2025-10-28T15:42:04.690",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:37.397",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26366"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26364
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:42
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26364 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/setup/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto no autenticado deshabilitar un servidor de perfil de autenticaci\u00f3n mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26364",
"lastModified": "2025-10-28T15:42:15.700",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:37.123",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26364"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26367
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-04-10 19:54
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26367 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-862 \"Missing Authorization\" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un error CWE-862 \"Autorizaci\u00f3n faltante\" en maxprofile/user-groups/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante autenticado (con pocos privilegios) cree grupos de usuarios arbitrarios a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26367",
"lastModified": "2025-04-10T19:54:17.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:37.533",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26367"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-26365
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:42
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26365 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/setup/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante remoto no autenticado habilite la autenticaci\u00f3n del panel frontal a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26365",
"lastModified": "2025-10-28T15:42:10.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:37.267",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26365"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26357
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:46
Severity ?
Summary
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26357 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en maxtime/api/database/database.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado leer archivos confidenciales a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26357",
"lastModified": "2025-10-28T15:46:19.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.160",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26357"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26363
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:42
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26363 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/setup/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante remoto no autenticado habilite un servidor de perfil de autenticaci\u00f3n a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26363",
"lastModified": "2025-10-28T15:42:23.580",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.983",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26363"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26358
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:45
Severity ?
Summary
A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26358 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-15 \"External Control of System or Configuration Setting\" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests."
},
{
"lang": "es",
"value": "Una \"Validaci\u00f3n de entrada incorrecta\" CWE-20 en ldbMT.so en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado modificar la configuraci\u00f3n sistema a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26358",
"lastModified": "2025-10-28T15:45:41.180",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.297",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26358"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26361
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:44
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26361 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/setup/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante remoto no autenticado restablezca el dispositivo de f\u00e1brica a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26361",
"lastModified": "2025-10-28T15:44:31.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.717",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26361"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26359
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:45
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26359 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/accounts/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto no autenticado restablecer los PIN de los usuarios mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26359",
"lastModified": "2025-10-28T15:45:28.310",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.437",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26359"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26362
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:42
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26362 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/setup/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto no autenticado establecer un servidor de perfil de autenticaci\u00f3n arbitrario a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26362",
"lastModified": "2025-10-28T15:42:30.657",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.847",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26362"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26360
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:45
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26360 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/persistance/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante remoto no autenticado elimine paneles mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26360",
"lastModified": "2025-10-28T15:45:11.133",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:36.577",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26360"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26356
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:46
Severity ?
Summary
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en maxtime/api/database/database.lua (setActive endpoint) en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado sobrescribir archivos confidenciales mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26356",
"lastModified": "2025-10-28T15:46:25.613",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:36.017",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26356"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26350
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-24 15:01
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26350 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-434 \"Unrestricted Upload of File with Dangerous Type\" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Una CWE-434 \"Carga sin restricciones de archivo con tipo peligroso\" en las cargas de archivos de plantilla en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite que un atacante remoto autenticado cargue archivos maliciosos a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26350",
"lastModified": "2025-10-24T15:01:27.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-12T14:15:35.107",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26350"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26351
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-24 14:59
Severity ?
Summary
A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26351 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en el mecanismo de descarga de plantillas en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado leer archivos confidenciales a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26351",
"lastModified": "2025-10-24T14:59:31.880",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:35.270",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26351"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26354
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:46
Severity ?
Summary
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26354 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en maxtime/api/database/database.lua (copia endpoint) en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado sobrescribir archivos confidenciales mediante solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26354",
"lastModified": "2025-10-28T15:46:35.500",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:35.727",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26354"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26355
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:46
Severity ?
Summary
A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26355 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en maxtime/api/database/database.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado eliminar archivos confidenciales a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26355",
"lastModified": "2025-10-28T15:46:29.943",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:35.870",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26355"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26352
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:46
Severity ?
Summary
A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26352 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en el mecanismo de eliminaci\u00f3n de plantillas en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado eliminar archivos confidenciales a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26352",
"lastModified": "2025-10-28T15:46:52.867",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:35.430",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26352"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26353
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-28 15:46
Severity ?
Summary
A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26353 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-35 \"Path Traversal\" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-35 \"Path Traversal\" en maxtime/api/sql/sql.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto autenticado leer archivos confidenciales a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26353",
"lastModified": "2025-10-28T15:46:42.513",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:35.587",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26353"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-35"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-26347
Vulnerability from fkie_nvd - Published: 2025-02-12 14:15 - Updated: 2025-10-24 15:03
Severity ?
Summary
A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.
References
| URL | Tags | ||
|---|---|---|---|
| prodsec@nozominetworks.com | https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26347 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:q-free:maxtime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BCAC20E-CD58-4376-BD70-584BCC62FA4E",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A CWE-306 \"Missing Authentication for Critical Function\" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests."
},
{
"lang": "es",
"value": "Un CWE-306 \"Autenticaci\u00f3n faltante para funci\u00f3n cr\u00edtica\" en maxprofile/menu/routes.lua en Q-Free MaxTime menor o igual a la versi\u00f3n 2.11.0 permite a un atacante remoto no autenticado editar permisos de usuario a trav\u00e9s de solicitudes HTTP manipulado."
}
],
"id": "CVE-2025-26347",
"lastModified": "2025-10-24T15:03:19.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
},
"published": "2025-02-12T14:15:34.687",
"references": [
{
"source": "prodsec@nozominetworks.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26347"
}
],
"sourceIdentifier": "prodsec@nozominetworks.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "prodsec@nozominetworks.com",
"type": "Secondary"
}
]
}