Primary

Context

Q-Free MaxTime Missing Authentication Vulnerability in Authentication Profile Management

Vulnerability

A vulnerability allowing unauthenticated remote attackers to manipulate authentication profiles on Q-Free MaxTime versions through 2.11.0 has been identified. This issue arises from a missing authentication requirement for critical functions, specifically in the maxprofile/setup/routes.lua file. Exploitation can be achieved by sending crafted HTTP requests to the server, potentially bypassing authentication mechanisms.

Impact

Exploitation of this vulnerability allows an unauthenticated remote attacker to set arbitrary authentication profiles on the server, potentially bypassing authentication requirements.

Remediation

While an official patch has not been released, it is recommended to restrict and monitor network access to the management web application on devices running Q-Free MaxTime versions through 2.11.0.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Q-Free MaxTime Missing Authentication Vulnerability in Authentication Profile Management

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating