Primary

Context

Q-Free MaxTime Password Reset Vulnerability in Users Routes

Vulnerability

A missing authorization vulnerability has been identified in Q-Free MaxTime versions through 2.11.0. This vulnerability allows authenticated low-privileged attackers to reset passwords, including those of administrator accounts, by sending crafted HTTP requests.

Impact

Exploitation of this vulnerability allows low-privileged authenticated attackers to reset administrator passwords, potentially leading to full control over the system.

Remediation

Until an official patch is released, it is recommended to periodically review and verify the passwords of users, especially those with administrative privileges, on the management web application of devices running Q-Free MaxTime versions through 2.11.0. Additionally, review all accounts on the same management web application and delete any unnecessary ones.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Q-Free MaxTime Password Reset Vulnerability in Users Routes

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating