Q-free

Maxtime

43 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.1

CVE-2025-26343

  • EPSS 0.12%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:04:41

A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.

9.8

CVE-2025-26344

  • EPSS 0.3%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:04:28

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.

9.8

CVE-2025-26345

  • EPSS 0.25%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:04:03

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.

7.6

CVE-2025-26346

  • EPSS 0.41%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:03:50

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserGroupMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker t...

7.6

CVE-2025-26348

  • EPSS 0.41%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:02:54

A CWE-89 "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" in maxprofile/menu/model.lua (editUserMenu endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to exe...

7.2

CVE-2025-26349

  • EPSS 1.48%
  • Veröffentlicht 12.02.2025 14:15:34
  • Zuletzt bearbeitet 24.10.2025 15:01:50

A CWE-23 "Relative Path Traversal" in the file upload mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated remote attacker to overwrite arbitrary files via crafted HTTP requests.

9.8

CVE-2025-26342

  • EPSS 0.3%
  • Veröffentlicht 12.02.2025 14:15:33
  • Zuletzt bearbeitet 24.10.2025 15:04:54

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via craft...

9.8

CVE-2025-26341

  • EPSS 0.3%
  • Veröffentlicht 12.02.2025 14:15:33
  • Zuletzt bearbeitet 24.10.2025 15:05:05

A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.

8.8

CVE-2025-26340

  • EPSS 0.18%
  • Veröffentlicht 12.02.2025 14:15:33
  • Zuletzt bearbeitet 24.10.2025 14:58:48

A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.

9.8

CVE-2025-26339

  • EPSS 0.3%
  • Veröffentlicht 12.02.2025 14:15:33
  • Zuletzt bearbeitet 24.10.2025 14:58:59

A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in m...