Missing Authorization in Q-Free MaxTime Affects User Endpoint
CVE-2025-26373

6.5MEDIUM

Key Information:

Vendor: Q-free
Status: Maxtime
Vendor: CVE Published:; 12 February 2025

What is CVE-2025-26373?

The Q-Free MaxTime application prior to version 2.11.0 contains a vulnerability in its user endpoint (maxprofile/users/routes.lua) that stems from a missing authorization check. This flaw allows an authenticated attacker with low privileges to exploit crafted HTTP requests for user enumeration, potentially exposing sensitive information about user accounts.

Affected Version(s)

MaxTime 0 <= 2.11.0

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.