Q-Free MaxTime Missing Authorization Vulnerability Allowing Arbitrary User Privilege Escalation
Vulnerability
A missing authorization vulnerability has been identified in Q-Free MaxTime versions through 2.11.0. This vulnerability allows authenticated low-privileged attackers to create users with arbitrary privileges by sending crafted HTTP requests. The issue is located in the 'maxprofile/users/routes.lua' file.
Impact
Exploitation of this vulnerability could enable an authenticated low-privileged remote attacker to create users with administrative privileges, resulting in full control over the system.
Remediation
No official solution has been communicated by the vendor. As a temporary measure, it is recommended to periodically review user and group configurations in the management web application of devices running Q-Free MaxTime versions through 2.11.0, ensuring all settings are correct. Additionally, review all accounts in the same management web application and remove any unnecessary ones.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.