Q-Free MaxTime Missing Authorization Vulnerability in User Groups Management
Vulnerability
A missing authorization vulnerability has been identified in Q-Free MaxTime versions through 2.11.0. This vulnerability allows authenticated low-privileged attackers to manipulate user group privileges by sending crafted HTTP requests. The issue is located in the user-groups routing file of the MaxProfile module.
Impact
Exploitation of this vulnerability allows authenticated low-privileged remote attackers to escalate privileges within user groups, potentially leading to unauthorized access rights.
Remediation
No official patch has been communicated by the vendor. As a temporary measure, it is recommended to review user and group configurations in the management web application for Q-Free MaxTime versions through 2.11.0, ensuring all settings are correct. Additionally, review all accounts in the same management application and remove any unnecessary ones.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.