Q-free

Maxtime

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2025-26359

  • EPSS 0.36%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:45:28

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.

5.5

CVE-2025-26358

  • EPSS 0.35%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:45:41

A CWE-15 "External Control of System or Configuration Setting" in ldbMT.so in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to modify system configuration via crafted HTTP requests.

7.2

CVE-2025-26356

  • EPSS 2.17%
  • Veröffentlicht 12.02.2025 14:15:36
  • Zuletzt bearbeitet 28.10.2025 15:46:25

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (setActive endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

6.5

CVE-2025-26355

  • EPSS 1.8%
  • Veröffentlicht 12.02.2025 14:15:35
  • Zuletzt bearbeitet 28.10.2025 15:46:29

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.

7.2

CVE-2025-26354

  • EPSS 2.17%
  • Veröffentlicht 12.02.2025 14:15:35
  • Zuletzt bearbeitet 28.10.2025 15:46:35

A CWE-35 "Path Traversal" in maxtime/api/database/database.lua (copy endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite sensitive files via crafted HTTP requests.

4.9

CVE-2025-26353

  • EPSS 0.36%
  • Veröffentlicht 12.02.2025 14:15:35
  • Zuletzt bearbeitet 28.10.2025 15:46:42

A CWE-35 "Path Traversal" in maxtime/api/sql/sql.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.

6.5

CVE-2025-26352

  • EPSS 1.8%
  • Veröffentlicht 12.02.2025 14:15:35
  • Zuletzt bearbeitet 28.10.2025 15:46:52

A CWE-35 "Path Traversal" in the template deletion mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to delete sensitive files via crafted HTTP requests.

4.9

CVE-2025-26351

  • EPSS 0.36%
  • Veröffentlicht 12.02.2025 14:15:35
  • Zuletzt bearbeitet 24.10.2025 14:59:31

A CWE-35 "Path Traversal" in the template download mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to read sensitive files via crafted HTTP requests.

8.8

CVE-2025-26350

  • EPSS 0.24%
  • Veröffentlicht 12.02.2025 14:15:35
  • Zuletzt bearbeitet 24.10.2025 15:01:27

A CWE-434 "Unrestricted Upload of File with Dangerous Type" in the template file uploads in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to upload malicious files via crafted HTTP requests.

9.8

CVE-2025-26347

  • EPSS 0.31%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:03:19

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.