Q-Free MaxTime Missing Authorization Vulnerability in User Groups Management
Vulnerability
A missing authorization vulnerability has been identified in Q-Free MaxTime versions through 2.11.0. This vulnerability allows authenticated low-privileged attackers to remove user groups by sending crafted HTTP requests. The issue is located in the user-groups route of the application.
Impact
Exploitation of this vulnerability allows authenticated low-privileged remote attackers to delete user groups, potentially disrupting access and permissions for affected users.
Remediation
No official patch has been announced by the vendor. As a temporary measure, it is recommended to regularly review user and group configurations in the management web application of Q-Free MaxTime devices running versions through 2.11.0, ensuring all settings are correct. Additionally, review all user accounts in the same management application and remove any unnecessary ones.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.