Q-Free MaxTime, Missing Authorization Vulnerability, CVE-2025-26372 Critical

By /

How the CVE Works:

CVE-2025-26372 is a critical vulnerability in Q-Free MaxTime versions 2.11.0 and earlier. It stems from a Missing Authorization CWE-862 flaw in the `maxprofile/user-groups/routes.lua` file. This vulnerability allows an authenticated attacker with low privileges to send crafted HTTP requests to remove users from groups without proper authorization. The issue arises due to insufficient validation of user permissions when handling group management requests. Attackers can exploit this flaw to disrupt user management, potentially leading to unauthorized access or privilege escalation within the system.

DailyCVE Form:

Platform: Q-Free MaxTime
Version: <= 2.11.0
Vulnerability: Missing Authorization
Severity: Critical
Date: 02/12/2025

What Undercode Say:

Exploitation:

  1. Craft an HTTP POST request targeting the `/user-groups/remove` endpoint.
  2. Include a malicious payload with the target user and group IDs.
  3. Use a low-privileged authenticated session to send the request.

Example Exploit Code:

curl -X POST http://<target-ip>/user-groups/remove -H "Content-Type: application/json" -d '{"userId": "targetUser", "groupId": "targetGroup"}' --cookie "session=<low-privileged-session-token>"

Protection:

  1. Update Q-Free MaxTime to the latest version beyond 2.11.0.

2. Implement proper authorization checks in `routes.lua`.

  1. Validate user permissions before processing group management requests.

Example Patch Code:

-- Add authorization check in routes.lua
local function authorizeUserreq, res, next
if not req.user.hasPermission"manage_groups" then
return res.status403.send"Unauthorized"
end
next
end
app:post"/user-groups/remove", authorizeUser, removeUserFromGroup

Analytics:

  • Attack Vector: Network
  • Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Impact: High Confidentiality, Integrity, Availability

References:

  • [NVD CVE-2025-26372]https://nvd.nist.gov/vuln/detail/CVE-2025-26372
  • [Q-Free MaxTime Security Advisory]https://www.q-free.com/security-advisories
  • [CWE-862 Documentation]https://cwe.mitre.org/data/definitions/862.html

Commands:

  • Check version: `curl -I http:///version`
    – Test vulnerability: Use the exploit code above.
  • Patch system: `sudo apt-get update && sudo apt-get upgrade q-free-maxtime`

URLs:

  • [Q-Free MaxTime Documentation]https://www.q-free.com/maxtime-docs
  • [Nozomi Networks Report]https://www.nozominetworks.com/blog/cve-2025-26372-analysis

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-26372
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2Featured Image

Scroll to Top