Primary

Context

Q-Free MaxTime Password Reset Vulnerability Due to Missing Authentication

Vulnerability

A vulnerability allowing password resets for arbitrary users has been identified in Q-Free MaxTime versions through 2.11.0. This issue arises from a missing authentication mechanism in the 'maxprofile/accounts/routes.lua' file, which enables unauthenticated remote attackers to exploit the vulnerability by sending crafted HTTP requests.

Impact

Exploitation of this vulnerability allows an unauthenticated remote attacker to reset user passwords, potentially locking out legitimate users and gaining control over their accounts.

Remediation

While an official patch has not been released, it is recommended to restrict and monitor network access to the management web application on devices running Q-Free MaxTime versions through 2.11.0.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Q-Free MaxTime Password Reset Vulnerability Due to Missing Authentication

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating