Shodan
Vulnerabilities
Vulnerable Software
Q-Free:  >> Maxtime  Security Vulnerabilities
CVE-2025-26378
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26371
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26372
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users from groups via crafted HTTP requests.
CVSS Score
7.1
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26374
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua (users endpoint) in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to enumerate users via crafted HTTP requests.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-02-12
CVE-2025-26375
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26376
A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to modify user data via crafted HTTP requests.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26367
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create arbitrary user groups via crafted HTTP requests.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26368
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.
CVSS Score
8.1
EPSS Score
0.001
Published
2025-02-12
CVE-2025-26369
A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-02-12


Products
Pricing
Contact Us

Shodan ® - All rights reserved