Q-free

Maxtime

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-26365

  • EPSS 0.14%
  • Veröffentlicht 12.02.2025 14:15:37
  • Zuletzt bearbeitet 28.10.2025 15:42:10

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests.

7.5

CVE-2025-26366

  • EPSS 0.14%
  • Veröffentlicht 12.02.2025 14:15:37
  • Zuletzt bearbeitet 28.10.2025 15:42:04

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.

4.3

CVE-2025-26367

  • EPSS 0.16%
  • Veröffentlicht 12.02.2025 14:15:37
  • Zuletzt bearbeitet 10.04.2025 19:54:17

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.

8.8

CVE-2025-26369

  • EPSS 0.3%
  • Veröffentlicht 12.02.2025 14:15:37
  • Zuletzt bearbeitet 27.05.2025 21:25:39

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.

7.1

CVE-2025-26370

  • EPSS 0.24%
  • Veröffentlicht 12.02.2025 14:15:37
  • Zuletzt bearbeitet 28.10.2025 15:41:52

A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove privileges from user groups via crafted HTTP requests.

4.9

CVE-2025-26357

  • EPSS 0.36%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:46:19

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.

7.5

CVE-2025-26363

  • EPSS 0.14%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:42:23

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable an authentication profile server via crafted HTTP reque...

7.5

CVE-2025-26362

  • EPSS 0.14%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:42:30

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to set an arbitrary authentication profile server via crafted HTT...

9.1

CVE-2025-26361

  • EPSS 0.31%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:44:31

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.

5.3

CVE-2025-26360

  • EPSS 0.14%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:45:11

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/persistance/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to delete dashboards via crafted HTTP requests.