VYPR

MaxTime

by Q-Free

CVEs (43)

  • CVE-2025-26359CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset user PINs via crafted HTTP requests.

  • CVE-2025-26347CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user permissions via crafted HTTP requests.

  • CVE-2025-26345CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/menu/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to edit user group permissions via crafted HTTP requests.

  • CVE-2025-26344CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/guest-mode/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable passwordless guest mode via crafted HTTP requests.

  • CVE-2025-26342CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to create arbitrary users, including administrators, via crafted HTTP requests.

  • CVE-2025-26341CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.

  • CVE-2025-26339CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxtime/handleRoute.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to affect the device confidentiality, integrity, or availability in multiple unspecified ways via…

  • CVE-2025-1100CriFeb 12, 2025
    risk 0.64cvss 9.8epss 0.01

    A CWE-259 "Use of Hard-coded Password" for the root account in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to execute arbitrary code with root privileges via SSH.

  • CVE-2025-26361CriFeb 12, 2025
    risk 0.59cvss 9.1epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to factory reset the device via crafted HTTP requests.

  • CVE-2025-26378HigFeb 12, 2025
    risk 0.57cvss 8.8epss 0.01

    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to reset passwords, including the ones of administrator accounts, via crafted HTTP requests.

  • CVE-2025-26375HigFeb 12, 2025
    risk 0.57cvss 8.8epss 0.01

    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to create users with arbitrary privileges via crafted HTTP requests.

  • CVE-2025-26371HigFeb 12, 2025
    risk 0.57cvss 8.8epss 0.01

    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add users to groups via crafted HTTP requests.

  • CVE-2025-26369HigFeb 12, 2025
    risk 0.57cvss 8.8epss 0.01

    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to add privileges to user groups via crafted HTTP requests.

  • CVE-2025-26340HigFeb 12, 2025
    risk 0.57cvss 8.8epss 0.01

    A CWE-321 "Use of Hard-coded Cryptographic Key" in the JWT signing in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to bypass the authentication via crafted HTTP requests.

  • CVE-2025-26377HigFeb 12, 2025
    risk 0.53cvss 8.1epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/users/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove users via crafted HTTP requests.

  • CVE-2025-26368HigFeb 12, 2025
    risk 0.53cvss 8.1epss 0.00

    A CWE-862 "Missing Authorization" in maxprofile/user-groups/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an authenticated (low-privileged) attacker to remove user groups via crafted HTTP requests.

  • CVE-2025-26343HigFeb 12, 2025
    risk 0.53cvss 8.1epss 0.01

    A CWE-1390 "Weak Authentication" in the PIN authentication mechanism in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to brute-force user PINs via multiple crafted HTTP requests.

  • CVE-2025-26366HigFeb 12, 2025
    risk 0.49cvss 7.5epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable front panel authentication via crafted HTTP requests.

  • CVE-2025-26365HigFeb 12, 2025
    risk 0.49cvss 7.5epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to enable front panel authentication via crafted HTTP requests.

  • CVE-2025-26364HigFeb 12, 2025
    risk 0.49cvss 7.5epss 0.01

    A CWE-306 "Missing Authentication for Critical Function" in maxprofile/setup/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to disable an authentication profile server via crafted HTTP requests.

Page 1 of 3