Q-Free MaxTime Missing Authorization Vulnerability in User Groups Management
Vulnerability
A missing authorization vulnerability has been identified in Q-Free MaxTime versions through 2.11.0. This vulnerability allows authenticated low-privileged attackers to remove privileges from user groups by sending crafted HTTP requests. The issue is located in the user-groups route of the application.
Impact
Exploitation of this vulnerability could allow an authenticated low-privileged remote attacker to remove privileges from user groups, potentially disrupting access to critical resources.
Remediation
No official solution has been communicated by the vendor. As a temporary measure, it is recommended to periodically review user and group configurations in the management web application for Q-Free MaxTime versions through 2.11.0, ensuring all settings are correct. Additionally, review all accounts in the same management web application and delete any unnecessary ones.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.