Missing Authorization Vulnerability in Q-Free MaxTime Software
CVE-2025-26374

4.3MEDIUM

Key Information:

Vendor: Q-free
Status: Maxtime
Vendor: CVE Published:; 12 February 2025

What is CVE-2025-26374?

The vulnerability exists in the Q-Free MaxTime software, specifically within the maxprofile/users/routes.lua file, which handles user interactions on the users endpoint. An authenticated attacker with low privileges can exploit this flaw to enumerate user accounts by sending specially crafted HTTP requests. This could lead to unauthorized disclosure of user information, posing further risks of targeted attacks or account takeover.

Affected Version(s)

MaxTime 0 <= 2.11.0

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.